GHSA-7q9x-8g6p-3x75: @grackle-ai/server: Unescaped Error String in renderPairingPage() HTML Template
Summary
A function called `renderPairingPage()` in the @grackle-ai/server library embeds error messages directly into HTML without escaping (a process that makes text safe for display in web pages). While current uses pass only hardcoded strings and are not exploitable now, future code changes that pass user-controlled input could create an XSS vulnerability (a type of attack where malicious code is injected into a webpage).
Solution / Mitigation
Update to v0.70.1. The fix applies `escapeHtml()` to the error parameter by changing `${error}` to `${escapeHtml(error)}` in the HTML template string, matching the safer approach already used in the `renderAuthorizePage()` function in the same file.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-7q9x-8g6p-3x75
First tracked: March 25, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 75%