Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 973ada489498 · 2026-02-13T21:04:32.000Z
GHSA-p5vf-5754-x7p3 GHSA-w5cr-2qhr-jqc5
diff --git a/advisories/github-reviewed/2026/02/GHSA-p5vf-5754-x7p3/GHSA-p5vf-5754-x7p3.json b/advisories/github-reviewed/2026/02/GHSA-p5vf-5754-x7p3/GHSA-p5vf-5754-x7p3.json
@@ -0,0 +1,43 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-p5vf-5754-x7p3",
+  "modified": "2026-02-13T21:02:38Z",
+  "published": "2026-02-13T21:02:38Z",
+  "aliases": [],
+  "summary": "`polymarket-client-sdks` was removed from crates.io for malicious code",
+  "details": "It appeared to be typosquatting existing crate [`polymarket-client-sdk`](https://crates.io/crates/polymarket-client-sdk) (`sdks` vs `sdk`) and attempting to steal credentials from local files.\n\nThe malicious crate had 1 version published on 2026-02-09 and had been downloaded only 33 times. There were no crates depending on this crate on crates.io.\n\nThanks to Roland Peelen for finding and reporting this to the crates.io team!",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "polymarket-client-sdks"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0011.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-506"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-13T21:02:38Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/02/GHSA-w5cr-2qhr-jqc5/GHSA-w5cr-2qhr-jqc5.json b/advisories/github-reviewed/2026/02/GHSA-w5cr-2qhr-jqc5/GHSA-w5cr-2qhr-jqc5.json
@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w5cr-2qhr-jqc5",
+  "modified": "2026-02-13T21:04:00Z",
+  "published": "2026-02-13T21:04:00Z",
+  "aliases": [],
+  "summary": "Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site",
+  "details": "## Summary\n\nA Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground's OAuth callback handler. The error_description query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the context of the victim's session.\n\n### Root cause\n\nThe OAuth callback handler in `site/ai-playground/src/server.ts` directly interpolated the `authError` value, sourced from the `error_description` query parameter,  into an inline `<script>` tag.\n\n### Impact\n\nAn attacker could craft a malicious link that, when clicked by a victim, would:\n- Steal user chat message history \n- Access all LLM interactions stored in the user's session.\n- Access connected MCP Servers \n- Interact with any MCP servers connected to the victim's session (public or authenticated/private), potentially allowing the attacker to perform actions on the victim's behalf\n\n### Mitigation:\n\n- PR: https://github.com/cloudflare/agents/pull/841\n- Agents-sdk users should upgrade to `agents@0.3.10`\n- Developers using `configureOAuthCallback` with custom error handling in their own applications should ensure all user-controlled input is escaped before interpolation.\n\n### Credits\n\nDisclosed responsibly by Nishant Kumawat",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "agents"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.3.10"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/cloudflare/agents/security/advisories/GHSA-w5cr-2qhr-jqc5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cloudflare/agents/pull/841"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cloudflare/agents/commit/3f490d045844e4884db741afbb66ca1fe65d4093"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/cloudflare/agents"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-13T21:04:00Z",
+    "nvd_published_at": null
+  }
+}
