Stored Cross-Site Scripting Vulnerability in Dive Application by OpenAgentPlatform
CVE-2025-66580

9.7CRITICAL

Key Information:

Vendor: Openagentplatform
Status: Dive
Vendor: CVE Published:; 19 December 2025

🔔 Create Openagentplatform Vulnerability Alert

What is CVE-2025-66580?

A significant security flaw exists within the Dive application, specifically in its Mermaid diagram rendering component. This vulnerability allows attackers to inject arbitrary JavaScript via a special javascript: link, enabling the manipulation of Model Context Protocol (MCP) server configurations. Consequently, when a user clicks on the affected node, it can lead to Remote Code Execution (RCE) on their machine. Users are strongly advised to upgrade to version 0.11.1 or later, which addresses this security risk.

Affected Version(s)

Dive < 0.11.1

References

https://github.com/OpenAgentPlatform/Dive/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.7

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 19, 2025
Vulnerability Reserved
Dec 4, 2025

JSON