CVE-2025-66580CRITICAL 9.6EPSS p37.5%

CVE-2025-66580CVE-2025-66580

Description

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary JavaScript via `javascript:`. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim's machine when the node is clicked. Version 0.11.1 fixes the issue.

Scoring

CVSS 3.19.6 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS0.48% probability of exploitation · percentile 37.5% · 2026-06-19T12:03:05Z
Published2025-12-19
Last modified2026-01-02

Underlying weaknesses· 2

CWE-94CWE-79

References

  1. https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-xv8m-365j-x6h2
  2. https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-xv8m-365j-x6h2

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-58176
CVE
CVE-2025-66222
CVE
CVE-2026-23523
CVE
CVE-2025-67744
CVE
CVE-2025-66481
CVE
CVE-2025-58768
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.