GHSA-w5cr-2qhr-jqc5: Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site

February 13, 2026

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground’s OAuth callback handler. The error_description query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the context of the victim’s session.

References

github.com/advisories/GHSA-w5cr-2qhr-jqc5
github.com/cloudflare/agents
github.com/cloudflare/agents/commit/3f490d045844e4884db741afbb66ca1fe65d4093
github.com/cloudflare/agents/pull/841
github.com/cloudflare/agents/security/advisories/GHSA-w5cr-2qhr-jqc5

Code Behaviors & Features

Detect and mitigate GHSA-w5cr-2qhr-jqc5 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →