resolved
AI Playground XSS to steal user-chat messages and access to connected MCP Server
Bug reported by Nishant was disclosed at February 26, 2026, 6:56 pm | Cross-site Scripting (XSS) - Reflected
A reflected XSS vulnerability was discovered in the AI Playground OAuth handler due to unescaped interpolation of the error_description parameter into a script tag. The issue has been patched, and users of the open-source Agents SDK should upgrade to v0.3.10.
resolved
HTML Injection in DAST Trial Request Form Confirmation Email – PortSwigger
Bug reported by Jonathan was disclosed at February 26, 2026, 9:19 am |
A vulnerability was discovered in the DAST trial request form on the website, where user input in the "First Name" field was not properly sanitized before being included in confirmation emails. This allowed the injection of arbitrary HTML content, which would be rendered in the recipient's email client.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
