Suuuuuzy

**Name of the Vulnerable Software and Affected Versions** AFFiNE versions prior to 0.25.4 **Description** AFFiNE is an open-source workspace and operating system. Versions prior to 0.25.4 contain a one-click remote code execution issue. An attacker can exploit this by embedding a specially crafted `affine:` URL on a website. Exploitation occurs when a victim visits a malicious website that redirects to the URL, or clicks a crafted link on a legitimate website. This triggers the AFFiNE custom URL handler, launching the application and processing the URL, resulting in arbitrary code execution on the victim’s machine without further interaction. **Recommendations** Update to version 0.25.4 or later.

**Name of the Vulnerable Software and Affected Versions** Dive versions 0.9.0 through 0.9.3 **Description** Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Versions 0.9.0 through 0.9.3 contain a Remote Code Execution (RCE) vulnerability triggered by a crafted URL value, `transport`, within a JSON object. An attacker can exploit this issue by redirecting a victim to a malicious website or embedding a crafted link in legitimate content. When a victim interacts with the crafted link, the browser invokes Dive’s custom URL handler (dive:), launching the application and executing arbitrary code on the victim’s machine due to improper processing of the custom URL. **Recommendations** Update to version 0.9.4 or later.