CVE-2025-62800 FastMCP vulnerable to reflected XSS in client's callback page

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page oauthcallback.py where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScri...

FastMCP 跨站脚本漏洞

FastMCP is an MCP server builder by the individual developer Jeremiah Lowin. A cross-site scripting vulnerability exists in FastMCP versions prior to 2.13.0, which stems from an unescaped user control value on the OAuth client callback page, which could lead to a reflective cross-site scripting...