Total
3 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-23523 | 1 Openagentplatform | 1 Dive | 2026-02-09 | N/A | 9.6 CRITICAL |
|
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0.
|
|||||
| CVE-2025-66580 | 1 Openagentplatform | 1 Dive | 2026-01-02 | N/A | 9.6 CRITICAL |
|
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary JavaScript via `javascript:`. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim's machine when the nod ...
Show More |
|||||
| CVE-2025-58176 | 1 Openagentplatform | 1 Dive | 2025-09-11 | N/A | 8.8 HIGH |
|
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. In versions 0.9.0 through 0.9.3, there is a one-click Remote Code Execution vulnerability triggered through a custom url value, `transport` in the JSON object. An attacker can exploit the vulnerability in the following two scenarios: a victim visits a malicious website controlled by the attacker and the website redirect to the URL automatically, or a victim clicks on such a crafted link embed ...
Show More |
|||||