Lucene search
K

49 matches found

Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.7 views

PT-2026-24639

An unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's authentication payload has a fallback chain that reaches params.query the raw request query when Grant's session/state responses are empt...

9.3CVSS5.8AI score
Exploits0References3
CVE
CVE
added 2026/02/21 3:23 a.m.19 views

CVE-2026-27191

Feathersjs (Feathers) Open Redirect in OAuth callback (CVE-2026-27191) affects versions 5.0.39 and earlier where the redirect query parameter is appended to the base origin without validation. This allows an attacker to steal victims’ access tokens via URL authority injection, leading to account ...

7.4CVSS5.6AI score0.00254EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/02/13 9:4 p.m.3 views

GHSA-W5CR-2QHR-JQC5 Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site

Summary A Reflected Cross-Site Scripting XSS vulnerability was discovered in the AI Playground's OAuth callback handler. The errordescription query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the contex...

6.2CVSS6AI score
Exploits0References4
Snyk
Snyk
added 2026/02/13 2:55 a.m.5 views

Cross-site Scripting (XSS)

Overview agents is an A home for your AI agents Affected versions of this package are vulnerable to Cross-site Scripting XSS via the errordescription query parameter in the OAuth callback handler, which is directly interpolated into an HTML script tag without proper escaping. An attacker can...

8.2CVSS5.7AI score0.00371EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/02/13 1:46 a.m.7 views

CVE-2026-1721

Summary A Reflected Cross-Site Scripting XSS vulnerability was discovered in the AI Playground's OAuth callback handler. The errordescription query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the contex...

6.2CVSS5.9AI score0.00371EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/02/13 12:0 a.m.6 views

Cloudflare Agents 安全漏洞

Cloudflare Agents is an open-source tool developed by Cloudflare for building and deploying AI agents on Cloudflare platforms. There is a security vulnerability in Cloudflare Agents, which stems from the improper escaping of the errordescription query parameter in the OAuth callback handler of th...

6.2CVSS5.7AI score0.00371EPSS
Exploits0References1
Veracode
Veracode
added 2025/12/13 7:54 a.m.6 views

Reflected Cross Site Scripting (XSS)

FastMCP is vulnerable to a reflected cross-site scripting XSS. The vulnerability is due to unescaped user-controlled input being reflected in the OAuth client callback HTML page oauthcallback.py, which allows an attacker to inject and execute arbitrary JavaScript in the context of the callback...

6.1CVSS5.4AI score0.0025EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2025/12/13 7:43 a.m.7 views

Cross-Site Scripting (XSS)

spotipy is vulnerable to cross-site scripting XSS. The vulnerability is due to improper sanitization of the error parameter in the OAuth callback server, which allows an attacker to inject and execute arbitrary JavaScript in the user's browser during OAuth authentication...

3.6CVSS6AI score0.00138EPSS
Exploits0References3Affected Software1
Tenable Nessus
Tenable Nessus
added 2025/12/08 12:0 a.m.6 views

FreeBSD : spotipy -- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (8acfcfdc-d27c-11f0-8512-b0416f0c4c67)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 8acfcfdc-d27c-11f0-8512-b0416f0c4c67 advisory. https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm reports: Spotipy is a...

3.6CVSS5.4AI score0.00138EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2025/11/28 12:22 a.m.3 views

SUSE CVE-2025-66040

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting XSS vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's brows...

3.6CVSS6.4AI score0.00138EPSS
Exploits0References3
NVD
NVD
added 2025/11/27 12:15 a.m.11 views

CVE-2025-66040

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting XSS vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's brows...

3.6CVSS0.00138EPSS
Exploits0References2
OSV
OSV
added 2025/11/27 12:15 a.m.1 views

DEBIAN-CVE-2025-66040

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting XSS vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's brows...

3.6CVSS5.4AI score0.00138EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/11/27 12:0 a.m.6 views

Spotipy 跨站脚本漏洞

Spotipy is the spotipy-dev individual developer's lightweight Python library for the Spotify Web API. A cross-site scripting vulnerability exists in Spotipy versions prior to 2.25.2, which stems from the OAuth callback server failing to clean up incorrect parameters, which could lead to a...

3.6CVSS5.8AI score0.00138EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2025/11/26 11:14 p.m.2 views

CVE-2025-66040 Spotipy has a XSS vulnerability in OAuth callback server

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting XSS vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's brows...

3.6CVSS5.9AI score0.00138EPSS
Exploits0References2
OSV
OSV
added 2025/11/26 11:14 p.m.6 views

CVE-2025-66040 Spotipy has a XSS vulnerability in OAuth callback server

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting XSS vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's brows...

3.6CVSS6.3AI score0.00138EPSS
Exploits0References4
Debian CVE
Debian CVE
added 2025/11/26 11:14 p.m.5 views

CVE-2025-66040

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting XSS vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's brows...

3.6CVSS5.4AI score0.00138EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2025/11/26 12:0 a.m.2 views

PT-2025-48208

Name of the Vulnerable Software and Affected Versions Spotipy versions prior to 2.25.2 Description Spotipy is a Python library used for interacting with the Spotify Web API. A flaw exists in the OAuth callback server that permits JavaScript injection through an unsanitized error parameter, leadin...

3.6CVSS6.1AI score0.00138EPSS
Exploits0References21
EUVD
EUVD
added 2025/11/07 6:30 p.m.4 views

EUVD-2025-38267

An Open Redirect vulnerability exists in the OAuth callback handler in file onlook/apps/web/client/src/app/auth/callback/route.ts in Onlook web application 0.2.32. The vulnerability occurs because the application trusts the X-Forwarded-Host header value without proper validation when constructing...

6.3AI score0.00408EPSS
Exploits1References3
NVD
NVD
added 2025/11/07 5:15 p.m.7 views

CVE-2025-63784

An Open Redirect vulnerability exists in the OAuth callback handler in file onlook/apps/web/client/src/app/auth/callback/route.ts in Onlook web application 0.2.32. The vulnerability occurs because the application trusts the X-Forwarded-Host header value without proper validation when constructing...

6.5CVSS0.00408EPSS
Exploits1References2
OSV
OSV
added 2025/11/07 5:15 p.m.7 views

CVE-2025-63784

An Open Redirect vulnerability exists in the OAuth callback handler in file onlook/apps/web/client/src/app/auth/callback/route.ts in Onlook web application 0.2.32. The vulnerability occurs because the application trusts the X-Forwarded-Host header value without proper validation when constructing...

6.5CVSS5.9AI score0.00408EPSS
Exploits1References2
Rows per page
Query Builder