AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-1721: Summary A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground's OAuth callback handl

highvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseFebruary 12, 2026CVE-2026-1721

Summary

A reflected XSS vulnerability (a type of attack where malicious code is injected into a website and executed in a user's browser) was found in the AI Playground's OAuth callback handler (the code that processes login responses). The vulnerability allowed attackers to craft malicious links that, when clicked, could steal a user's chat history and access connected MCP servers (external services integrated with the AI system) on the victim's behalf.

Solution / Mitigation

Agents-sdk users should upgrade to agents@0.3.10. Developers using configureOAuthCallback with custom error handling should ensure all user-controlled input is escaped (converted to safe text that won't be interpreted as code) before interpolation (inserting it into the HTML). A patch is available at PR https://github.com/cloudflare/agents/pull/841.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack Type

PII Leakage

Attack SophisticationTrivial

Impact (CIA+S)

confidentialityintegrity

Affected Vendors

Related Issues

medium

CVE-2026-2589: The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Sensitive Information Exposure

Similar attackNVD/CVE Database

high

Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration

First tracked: February 12, 2026 at 11:07 PM

Classified by LLM (prompt v3) · confidence: 92%