GHSA-w5cr-2qhr-jqc5: Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site
Summary
A Reflected XSS vulnerability (reflected XSS, where malicious code is injected through a URL parameter and executed in a user's browser) was found in Cloudflare Agents' AI Playground OAuth callback handler. An attacker could craft a malicious link that, when clicked, steals user chat history, LLM interactions, and could control connected MCP Servers (tools that extend what an AI can do) on behalf of the victim.
Solution / Mitigation
Agents-sdk users should upgrade to agents@0.3.10. Developers using configureOAuthCallback with custom error handling should ensure all user-controlled input is escaped (converted to safe text that won't be interpreted as code) before being inserted into HTML. See PR: https://github.com/cloudflare/agents/pull/841
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne
CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi
Original source: https://github.com/advisories/GHSA-w5cr-2qhr-jqc5
First tracked: February 13, 2026 at 07:00 PM
Classified by LLM (prompt v3) · confidence: 95%