Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site
- Severity:
- Medium
Description
A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground’s OAuth callback handler. The error_description query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the context of the victim’s session.
Recommendation
Update the agents package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.3.10
- Patched version(s): 0.3.10
References
Related Issues
- Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler - CVE-2026-1721
- Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019
- VvvebJs Reflected Cross-Site Scripting (XSS) vulnerability - CVE-2024-29271
- Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
- Tags:
- npm
- agents
Anything's wrong? Let us know Last updated on February 13, 2026