CVE-2025-62800 FastMCP vulnerable to reflected XSS in client's callback page

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page oauthcallback.py where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScri...

CVE-2025-62800

FastMCP (Python framework for MCP apps) is affected prior to version 2.13.0 by a reflected XSS in the OAuth client callback page (oauth_callback.py). The vulnerability occurs when unescaped user-controlled values are inserted into the generated HTML, enabling arbitrary JavaScript execution in the...

CVE-2025-62800 FastMCP vulnerable to reflected XSS in client's callback page

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page oauthcallback.py where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScri...

FastMCP 跨站脚本漏洞

FastMCP is an MCP server builder by the individual developer Jeremiah Lowin. A cross-site scripting vulnerability exists in FastMCP versions prior to 2.13.0, which stems from an unescaped user control value on the OAuth client callback page, which could lead to a reflective cross-site scripting...