{"data":{"id":"c42cd4c3-5de9-405c-8f30-db89174a3772","title":"CVE-2026-1721: Summary\n\nA Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground's OAuth callback handl","summary":"A reflected XSS vulnerability (a type of attack where malicious code is injected into a website and executed in a user's browser) was found in the AI Playground's OAuth callback handler (the code that processes login responses). The vulnerability allowed attackers to craft malicious links that, when clicked, could steal a user's chat history and access connected MCP servers (external services integrated with the AI system) on the victim's behalf.","solution":"Agents-sdk users should upgrade to agents@0.3.10. Developers using configureOAuthCallback with custom error handling should ensure all user-controlled input is escaped (converted to safe text that won't be interpreted as code) before interpolation (inserting it into the HTML). A patch is available at PR https://github.com/cloudflare/agents/pull/841.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-1721","publishedAt":"2026-02-13T03:15:52.467Z","cveId":"CVE-2026-1721","cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["pii_leakage"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["Cloudflare","Cloudflare Agents","AI Playground"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.0002,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}