Nixpkgs Security Tracker

Dismissed

Permalink CVE-2026-23523

9.7 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 2 months ago by @LeSuisse Activity log

Created automatic suggestion 2 months ago
@LeSuisse removed
7 packages
- dive
- git-dive
- libdivecomputer
- haskellPackages.diversity
- haskellPackages.data-diverse
- typstPackages.diverential_0_2_0
- gnomeExtensions.the-indie-beat-fediverse-radio
2 months ago
@LeSuisse dismissed 2 months ago

Dive allows One-click Remote Code Execution through Deep Links for MCP Install

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0.

References

https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-pjj5-f3wm-f9m8 x_refsource_CONFIRM
https://github.com/OpenAgentPlatform/Dive/commit/a5162ac9eff366d8ea1215b8a47139a81a55a779 x_refsource_MISC

Affected products

Dive

==< 0.13.0

OpenAgentPlatform/Dive is not present in nixpkgs

Suggestion detail

References

Affected products