CVE-2026-32112

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32112

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32112.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-32112

Aliases

GHSA-pf93-j98v-25pv

Published

2026-03-11T20:42:30.381Z

Modified

2026-04-02T13:24:24.166168Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

ha-mcp has XSS via Unescaped HTML in OAuth Consent Form

Details

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser. This affects only users running the beta OAuth mode (ha-mcp-oauth), which is not part of the standard setup and requires explicit configuration. This vulnerability is fixed in 7.0.0.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32112.json"
}

References

Affected packages

Git / github.com/homeassistant-ai/ha-mcp

Affected ranges

Type: GIT
Repo: https://github.com/homeassistant-ai/ha-mcp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1f2bbbc74e81933a39e9c63998d1408f0c198309

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v2.*

v2.0.0

v2.1.0

v2.2.0

v2.3.0

v2.3.1

v2.3.2

v2.4.0

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v3.*

v3.0.0

v3.0.1

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.1.4

v3.1.5

v3.1.6

v3.2.0

v3.2.1

v3.2.2

v3.2.3

v3.3.0

v3.3.1

v3.3.2

v3.4.0

v3.4.1

v3.4.2

v3.4.3

v3.5.0

v3.5.1

v3.6.0

v3.6.1

v3.6.2

v3.7.0

v4.*

v4.0.0

v4.0.1

v4.1.0

v4.10.0

v4.11.0

v4.11.1

v4.11.2

v4.11.3

v4.11.4

v4.11.5

v4.11.6

v4.11.7

v4.11.8

v4.11.9

v4.12.0

v4.13.0

v4.14.0

v4.14.1

v4.14.2

v4.15.0

v4.15.1

v4.16.0

v4.16.0.dev2

v4.16.1

v4.16.1.dev3

v4.16.2

v4.16.2.dev4

v4.17.0

v4.17.0.dev5

v4.17.1

v4.17.1.dev6

v4.18.0

v4.18.0.dev7

v4.18.1

v4.18.1.dev8

v4.18.1.dev9

v4.18.2

v4.18.2.dev10

v4.18.2.dev11

v4.18.2.dev12

v4.18.2.dev13

v4.18.2.dev15

v4.18.2.dev16

v4.18.2.dev17

v4.18.2.dev18

v4.18.2.dev19

v4.18.2.dev20

v4.19.0

v4.19.0.dev21

v4.19.0.dev22

v4.19.0.dev24

v4.19.0.dev25

v4.19.0.dev27

v4.19.0.dev28

v4.19.0.dev29

v4.19.0.dev30

v4.19.0.dev31

v4.19.0.dev32

v4.2.0

v4.20.0

v4.20.0.dev33

v4.20.0.dev34

v4.21.0

v4.21.0.dev35

v4.21.0.dev36

v4.21.0.dev37

v4.22.0

v4.22.0.dev38

v4.22.0.dev39

v4.22.0.dev40

v4.22.0.dev41

v4.22.0.dev42

v4.22.0.dev43

v4.22.0.dev44

v4.22.0.dev45

v4.22.1

v4.22.1.dev46

v4.22.1.dev47

v4.22.1.dev48

v4.22.1.dev50

v4.22.1.dev51

v4.22.1.dev52

v4.22.1.dev53

v4.3.0

v4.4.0

v4.5.0

v4.6.0

v4.7.0

v4.7.1

v4.7.2

v4.7.3

v4.7.4

v4.7.5

v4.7.6

v4.7.7

v4.8.0

v4.8.1

v4.8.2

v4.8.3

v4.8.4

v4.8.5

v4.9.0

v5.*

v5.0.0.dev54

v5.0.0.dev55

v5.0.0.dev56

v5.0.0.dev57

v5.0.0.dev58

v5.0.0.dev59

v5.0.0.dev60

v5.0.0.dev61

v5.0.0.dev62

v5.0.0.dev63

v5.0.0.dev64

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.0.5

v5.0.6

v5.1.0

v6.*

v6.0.0

v6.1.0

v6.2.0

v6.3.0

v6.3.0.dev120

v6.3.0.dev121

v6.3.0.dev122

v6.3.0.dev123

v6.3.1

v6.3.1.dev125

v6.3.1.dev126

v6.3.1.dev127

v6.3.1.dev128

v6.3.1.dev129

v6.3.1.dev130

v6.3.1.dev131

v6.3.1.dev132

v6.3.1.dev133

v6.3.1.dev134

v6.3.1.dev135

v6.3.1.dev136

v6.3.1.dev137

v6.3.1.dev138

v6.3.1.dev139

v6.3.1.dev140

v6.3.1.dev141

v6.3.1.dev142

v6.3.1.dev143

v6.3.1.dev144

v6.3.1.dev145

v6.3.1.dev146

v6.3.1.dev147

v6.3.1.dev148

v6.3.1.dev149

v6.3.1.dev150

v6.3.1.dev151

v6.3.1.dev152

v6.3.1.dev153

v6.3.1.dev154

v6.3.1.dev155

v6.3.1.dev156

v6.3.1.dev157

v6.3.1.dev158

v6.3.1.dev159

v6.4.0

v6.4.0.dev161

v6.4.0.dev162

v6.4.0.dev163

v6.4.0.dev164

v6.4.0.dev165

v6.4.0.dev166

v6.4.0.dev167

v6.4.0.dev168

v6.4.0.dev169

v6.4.0.dev170

v6.5.0

v6.5.0.dev172

v6.5.0.dev173

v6.5.0.dev174

v6.5.0.dev175

v6.5.0.dev176

v6.5.0.dev177

v6.5.0.dev178

v6.5.0.dev179

v6.5.0.dev180

v6.5.0.dev181

v6.5.0.dev182

v6.5.0.dev183

v6.5.0.dev184

v6.5.0.dev185

v6.5.0.dev186

v6.5.0.dev187

v6.6.0

v6.6.0.dev189

v6.6.1

v6.6.1.dev191

v6.6.1.dev192

v6.6.1.dev193

v6.6.1.dev194

v6.6.1.dev195

v6.6.1.dev196

v6.6.1.dev197

v6.6.1.dev198

v6.6.1.dev199

v6.6.1.dev200

v6.6.1.dev201

v6.6.1.dev202

v6.6.1.dev203

v6.6.1.dev204

v6.6.1.dev205

v6.6.1.dev206

v6.6.1.dev207

v6.6.1.dev208

v6.6.1.dev209

v6.6.1.dev210

v6.6.1.dev211

v6.6.1.dev212

v6.6.1.dev213

v6.6.1.dev214

v6.6.1.dev215

v6.6.1.dev216

v6.7.0

v6.7.0.dev218

v6.7.0.dev219

v6.7.0.dev220

v6.7.0.dev221

v6.7.1

v6.7.1.dev223

v6.7.1.dev224

v6.7.1.dev225

v6.7.1.dev226

v6.7.1.dev227

v6.7.1.dev228

v6.7.1.dev229

v6.7.1.dev230

v6.7.1.dev231

v6.7.1.dev232

v6.7.1.dev233

v6.7.1.dev234

v6.7.2

v6.7.2.dev236

v6.7.2.dev237

v6.7.2.dev238

v6.7.2.dev239

v6.7.2.dev240

v6.7.2.dev241

v6.7.2.dev242

v6.7.2.dev243

v6.7.2.dev244

v6.7.2.dev245

v6.7.2.dev246

v6.7.2.dev247

v6.7.2.dev248

v6.7.2.dev249

v6.7.2.dev250

v6.7.2.dev251

v6.7.2.dev252

v6.7.2.dev253

v6.7.2.dev254

v6.7.2.dev255

v6.7.2.dev256

v6.7.2.dev257

v6.7.2.dev258

v6.7.2.dev259

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32112.json"