Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Dive has Cross-Site Scripting vulnerability that can escalate to Remote Code Execution
Vulnerability Description
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary JavaScript via `javascript:`. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim's machine when the node is clicked. Version 0.11.1 fixes the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
Dive 安全漏洞
Vulnerability Description
Dive是OpenAgentPlatform开源的一个MCP主机桌面应用程序。 Dive 0.11.1之前版本存在安全漏洞,该漏洞源于Mermaid图表渲染组件允许执行任意JavaScript,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A