AI security incident: Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Play...
Summary A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground's OAuth callback handler. The error_description query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the context of the victim's session. ### Root cause The OAuth callback handler in site/ai-playground/src/server.ts directly interpolated the authError value, sourced from the error_description query parameter, into an inline tag.
Impact
Severity HIGH with confidence 61%. Validate exposure quickly to reduce security and compliance risk.
Recommended Response
- Confirm whether affected products, models, or integrations are used in your environment.
- Apply vendor fixes or mitigations and restrict risky permissions until verified.
- Monitor logs for related indicators and document containment for audit evidence.
Sources
Want alerts like this in real time?
Get notified with incident context, likely impact, and response guidance.
Get Notified