{"data":{"id":"141ca668-854b-490f-be02-8429155a9a58","title":"GHSA-pf93-j98v-25pv: ha-mcp has XSS via Unescaped HTML in OAuth Consent Form","summary":"The ha-mcp OAuth consent form has a cross-site scripting (XSS) vulnerability, where user-controlled data is inserted into HTML without escaping (the process of converting special characters so they display as text rather than execute as code). An attacker could register a malicious application and trick the server operator into visiting a crafted authorization URL, allowing the attacker to run JavaScript in the operator's browser and steal sensitive tokens. This only affects users running the beta OAuth mode, not the standard setup.","solution":"Upgrade to version 7.0.0","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-pf93-j98v-25pv","publishedAt":"2026-03-12T14:23:44.000Z","cveId":"CVE-2026-32112","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["jailbreak"],"issueType":"vulnerability","affectedPackages":["ha-mcp@< 7.0.0 (fixed: 7.0.0)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["ha-mcp","Claude.ai","ChatGPT"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00033,"patchAvailable":true,"disclosureDate":"2026-03-12T14:23:44.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}