3 matches found
CVE-2026-32112
ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...
CVE-2026-32112
creationtimestamp| type| source ---|---|--- 2026-03-12 14:40:06+00:00| seen| https://gist.github.com/alon710/ab92af6bf1518fd7ebffd80c72fb5bb0...
CVE-2026-32112 ha-mcp has XSS via Unescaped HTML in OAuth Consent Form
ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...