SCA: security update for agents (GHSA-cvhv-6xm6-c3v4)

medium Tenable Cloud Security Plugin ID 437728

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Summary A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground's OAuth
callback handler. The `error_description` query parameter was directly interpolated into an HTML script
tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the context of the
victim's session. Root cause The OAuth callback handler in `site/ai-playground/src/server.ts` directly
interpolated the `authError` value, sourced from the `error_description` query parameter, into an inline
`<script>` tag. Impact An attacker could craft a malicious link that, when clicked by a victim, would: *
Steal user chat message history - Access all LLM interactions stored in the user's session. * Access
connected MCP Servers - Interact with any MCP servers connected to the victim's session (public or
authenticated/private), potentially allowing the attacker to perform actions on the victim's behalf
Mitigation: * PR: https://github.com/cloudflare/agents/pull/841
https://github.com/cloudflare/agents/pull/841 * Agents-sdk users should upgrade to [email protected] *
Developers using configureOAuthCallback with custom error handling in their own applications should ensure
all user-controlled input is escaped before interpolation. (CVE-2026-1721)

See Also

https://github.com/advisories/GHSA-cvhv-6xm6-c3v4

Plugin Details

Severity: Medium

ID: 437728

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 2/14/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.59

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2026-1721

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.2

Threat Score: 2.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/13/2026

Vulnerability Publication Date: 2/13/2026

Reference Information

CVE: CVE-2026-1721

cwe: CWE-79