FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page (oauth_callback.py) where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScript execution in the callback server origin. The issue is fixed in version 2.13.0.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XJlowin Fastmcp
APPJlowin< 2.13.0
Related vulnerabilities
FastMCP: path traversal i SSRF przez niekodowane parametry ścieżki URL
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the Git...
FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not ...
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containi...
FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection...