CVE-2025-66580

Name of the Vulnerable Software and Affected Versions Dive versions prior to 0.11.1

Description Dive is an open-source MCP Host Desktop Application that integrates with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) issue exists in the Mermaid diagram rendering component. The application permits the execution of arbitrary JavaScript via javascript:. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, potentially leading to Remote Code Execution (RCE) on the victim's machine when a node is clicked. The vulnerable component allows for the injection of malicious code through the javascript: URI scheme.

Recommendations Update to version 0.11.1 to resolve this issue.