cvedb.io
CVE-2025-58176
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2025-09-03T04:16:02.413 · Last modified 2026-06-17T09:44:00.967

Summary

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. In versions 0.9.0 through 0.9.3, there is a one-click Remote Code Execution vulnerability triggered through a custom url value, `transport` in the JSON object. An attacker can exploit the vulnerability in the following two scenarios: a victim visits a malicious website controlled by the attacker and the website redirect to the URL automatically, or a victim clicks on such a crafted link embedded on a legitimate website (e.g., in user-generated content). In both cases, the browser invokes Dive's custom URL handler (dive:), which launches the Dive app and processes the crafted URL, leading to arbitrary code execution on the victim’s machine. This vulnerability is caused by improper proces

Affected products

openagentplatform — dive

Does this affect you?

Add your gear to cvedb and we'll alert you only when openagentplatform ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.