Reflected Cross Site Scripting (XSS)

FastMCP is vulnerable to a reflected cross-site scripting XSS. The vulnerability is due to unescaped user-controlled input being reflected in the OAuth client callback HTML page oauthcallback.py, which allows an attacker to inject and execute arbitrary JavaScript in the context of the callback...

CVE-2025-62800

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page oauthcallback.py where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScri...

EUVD-2025-36568

FastMCP vulnerable to reflected XSS in client's callback page...

FastMCP vulnerable to reflected XSS in client's callback page

Summary While setting up an oauth client, it was noticed that the callback page hosted by the client during the flow embeds user-controlled content without escaping or sanitizing it. This leads to a reflected Cross-Site-Scripting vulnerability. Details The affected code is located in...

GHSA-MXXR-JV3V-6PGC FastMCP vulnerable to reflected XSS in client's callback page

Summary While setting up an oauth client, it was noticed that the callback page hosted by the client during the flow embeds user-controlled content without escaping or sanitizing it. This leads to a reflected Cross-Site-Scripting vulnerability. Details The affected code is located in...

CVE-2025-62800 FastMCP vulnerable to reflected XSS in client's callback page

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page oauthcallback.py where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScri...

CVE-2025-62800 FastMCP vulnerable to reflected XSS in client's callback page

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page oauthcallback.py where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScri...

PT-2025-44217

Name of the Vulnerable Software and Affected Versions FastMCP versions prior to 2.13.0 Description FastMCP, a framework for building MCP applications, is affected by a reflected cross-site scripting issue. The problem exists in the OAuth client callback page oauth callback.py due to the insertion...

FastMCP 跨站脚本漏洞

FastMCP is an MCP server builder by the individual developer Jeremiah Lowin. A cross-site scripting vulnerability exists in FastMCP versions prior to 2.13.0, which stems from an unescaped user control value on the OAuth client callback page, which could lead to a reflective cross-site scripting...

EUVD-2017-0359

Malware in sbrugna...

PT-2022-20529 · Argo Cd · Argo Cd

Name of the Vulnerable Software and Affected Versions: Argo CD versions 2.3.0 through 2.3.5 Argo CD versions 2.4.0 through 2.4.4 Description: The issue is a cross-site scripting XSS bug that could allow an attacker to inject arbitrary JavaScript in the "/auth/callback" page in a victim's browser...

CVE-2017-17068

A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions 8.12. This vulnerability allows an attacker to acquire authenticated users' tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with...

CVE-2017-17068

A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions 8.12. This vulnerability allows an attacker to acquire authenticated users' tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with...

SQL injection vulnerability in OURPHP backend ourphp_callback.php page

OurPHP 傲派建站系统 is a website content management system developed using PHP language, the developer is Harbin Weicheng Technology Co. A SQL injection vulnerability exists in the background ourphpcallback.php page of OURPHP. Attackers can use this vulnerability to obtain sensitive database informatio...

CVE-2017-8304

An issue was discovered on Accellion FTA devices before FTA912180. courier/1000@/oauth/playground/callback.html allows XSS with a crafted URI...