Lucene search
K

10 matches found

RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.4 views

CVE-2026-32112

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...

6.8CVSS5.9AI score0.00181EPSS
Exploits0References1
OSV
OSV
added 2026/03/12 2:23 p.m.2 views

GHSA-PF93-J98V-25PV ha-mcp has XSS via Unescaped HTML in OAuth Consent Form

Summary The ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser. This affects...

6.8CVSS5.9AI score0.00181EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/12 2:23 p.m.8 views

EUVD-2026-11385

ha-mcp has XSS via Unescaped HTML in OAuth Consent Form...

6.8CVSS5.8AI score0.00181EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/12 2:23 p.m.14 views

ha-mcp has XSS via Unescaped HTML in OAuth Consent Form

Summary The ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser. This affects...

6.8CVSS5.8AI score0.00181EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/03/11 9:16 p.m.6 views

CVE-2026-32112

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...

6.8CVSS0.00181EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/11 8:42 p.m.1 views

CVE-2026-32112 ha-mcp has XSS via Unescaped HTML in OAuth Consent Form

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...

6.8CVSS5.8AI score0.00181EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/11 8:42 p.m.3 views

CVE-2026-32112

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...

6.8CVSS5.8AI score0.00181EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/03/11 8:42 p.m.18 views

CVE-2026-32112

ha-mcp (Home Assistant MCP Server) is affected prior to 7.0.0 by an XSS vulnerability in the OAuth consent form. The issue arises because the consent form renders user-controlled parameters using Python f-strings without HTML escaping, allowing an attacker who can reach the OAuth endpoint and ind...

6.8CVSS5.8AI score0.00181EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/03/11 8:42 p.m.27 views

CVE-2026-32112 ha-mcp has XSS via Unescaped HTML in OAuth Consent Form

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...

6.8CVSS0.00181EPSS
Exploits0References1
OSV
OSV
added 2026/03/11 8:42 p.m.5 views

CVE-2026-32112 ha-mcp has XSS via Unescaped HTML in OAuth Consent Form

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...

6.8CVSS5.9AI score0.00181EPSS
Exploits0References3
Rows per page
Query Builder