10 matches found
CVE-2026-32112
ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...
GHSA-PF93-J98V-25PV ha-mcp has XSS via Unescaped HTML in OAuth Consent Form
Summary The ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser. This affects...
ha-mcp has XSS via Unescaped HTML in OAuth Consent Form
Summary The ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser. This affects...
EUVD-2026-11385
ha-mcp has XSS via Unescaped HTML in OAuth Consent Form...
CVE-2026-32112
ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...
CVE-2026-32112 ha-mcp has XSS via Unescaped HTML in OAuth Consent Form
ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...
CVE-2026-32112
ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...
CVE-2026-32112 ha-mcp has XSS via Unescaped HTML in OAuth Consent Form
ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...
CVE-2026-32112 ha-mcp has XSS via Unescaped HTML in OAuth Consent Form
ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...
CVE-2026-32112
ha-mcp (Home Assistant MCP Server) is affected prior to 7.0.0 by an XSS vulnerability in the OAuth consent form. The issue arises because the consent form renders user-controlled parameters using Python f-strings without HTML escaping, allowing an attacker who can reach the OAuth endpoint and ind...