CVE-2026-42548: Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp()

May 6, 2026

Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin, enabling reflected cross-site scripting.

References

github.com/advisories/GHSA-fcx8-ph5r-mxr4
github.com/flightphp/core
github.com/flightphp/core/security/advisories/GHSA-fcx8-ph5r-mxr4
nvd.nist.gov/vuln/detail/CVE-2026-42548

Code Behaviors & Features

Detect and mitigate CVE-2026-42548 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →