CVE-2026-1721

Name of the Vulnerable Software and Affected Versions AI Playground versions prior to 0.3.10

Description A Reflected Cross-Site Scripting (XSS) issue exists in the AI Playground's OAuth callback handler. The error description query parameter is directly interpolated into an HTML script tag without proper escaping, enabling attackers to execute arbitrary JavaScript within the victim's session. An attacker could craft a malicious link that, when clicked by a victim, could allow access to user chat message history and interaction with connected MCP Servers, potentially enabling the attacker to perform actions on the victim's behalf. The issue stems from the direct interpolation of the authError value, sourced from the error description query parameter, into an inline <script> tag within the site/ai-playground/src/server.ts file.

Recommendations Upgrade to agents@0.3.10. Developers using configureOAuthCallback with custom error handling in their own applications should ensure all user-controlled input is escaped before interpolation.