{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32112", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:02:38.855Z", "datePublished": "2026-03-11T20:42:30.381Z", "dateUpdated": "2026-03-12T14:05:47.508Z"}, "containers": {"cna": {"title": "ha-mcp has XSS via Unescaped HTML in OAuth Consent Form", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/homeassistant-ai/ha-mcp/security/advisories/GHSA-pf93-j98v-25pv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/homeassistant-ai/ha-mcp/security/advisories/GHSA-pf93-j98v-25pv"}], "affected": [{"vendor": "homeassistant-ai", "product": "ha-mcp", "versions": [{"version": "< 7.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T20:42:30.381Z"}, "descriptions": [{"lang": "en", "value": "ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser. This affects only users running the beta OAuth mode (ha-mcp-oauth), which is not part of the standard setup and requires explicit configuration. This vulnerability is fixed in 7.0.0."}], "source": {"advisory": "GHSA-pf93-j98v-25pv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T14:05:22.619817Z", "id": "CVE-2026-32112", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:05:47.508Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32112", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T14:05:22.619817Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:05:32.007Z"}}], "cna": {"title": "ha-mcp has XSS via Unescaped HTML in OAuth Consent Form", "source": {"advisory": "GHSA-pf93-j98v-25pv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "homeassistant-ai", "product": "ha-mcp", "versions": [{"status": "affected", "version": "< 7.0.0"}]}], "references": [{"url": "https://github.com/homeassistant-ai/ha-mcp/security/advisories/GHSA-pf93-j98v-25pv", "name": "https://github.com/homeassistant-ai/ha-mcp/security/advisories/GHSA-pf93-j98v-25pv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser. This affects only users running the beta OAuth mode (ha-mcp-oauth), which is not part of the standard setup and requires explicit configuration. This vulnerability is fixed in 7.0.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T20:42:30.381Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32112", "state": "PUBLISHED", "dateUpdated": "2026-03-12T14:05:47.508Z", "dateReserved": "2026-03-10T22:02:38.855Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T20:42:30.381Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:homeassistant-ai:home_assistant_mcp_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "75A833D1-96EB-451C-876C-1267332C62DD", "versionEndExcluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser. This affects only users running the beta OAuth mode (ha-mcp-oauth), which is not part of the standard setup and requires explicit configuration. This vulnerability is fixed in 7.0.0."}, {"lang": "es", "value": "ha-mcp es un servidor MCP de Home Assistant. Antes de la versi\u00f3n 7.0.0, el formulario de consentimiento OAuth de ha-mcp renderiza par\u00e1metros controlados por el usuario a trav\u00e9s de f-strings de Python sin escape HTML. Un atacante que pueda alcanzar el endpoint OAuth y convencer al operador del servidor de seguir una URL de autorizaci\u00f3n manipulada podr\u00eda ejecutar JavaScript en el navegador del operador. Esto afecta solo a los usuarios que ejecutan el modo OAuth beta (ha-mcp-oauth), que no forma parte de la configuraci\u00f3n est\u00e1ndar y requiere configuraci\u00f3n expl\u00edcita. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 7.0.0."}], "id": "CVE-2026-32112", "lastModified": "2026-03-17T15:39:07.100", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-11T21:16:17.450", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/homeassistant-ai/ha-mcp/security/advisories/GHSA-pf93-j98v-25pv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ha-mcp", "source": "cna", "vendor": "homeassistant-ai"}, "product": "ha-mcp", "vendor": "homeassistant-ai"}], "analysis": {"en": {"generated_at": "2026-03-17T17:05:36.016348+00:00", "value": {"mitigation_remediation": ["Upgrade ha\u2011mcp to version 7.0.0 or later"], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting via unescaped HTML in OAuth consent form"}, "threat_synthesis": {"affected_systems": "Vendors: homeassistant\u2011ai; Product: ha\u2011mcp Server. Only the beta OAuth mode (ha\u2011mcp\u2011oauth) is affected, which is not part of the default configuration and requires explicit operator setup. All releases prior to 7.0.0 of ha\u2011mcp contain the flaw; the vulnerability is fixed in version 7.0.0.", "description_and_impact": "This vulnerability exists because the ha\u2011mcp OAuth consent form renders user\u2011controlled query parameters directly into the HTML output using Python f\u2011strings without any escaping. If an attacker can reach the OAuth endpoint and persuade the server operator to click a crafted authorization URL, arbitrary JavaScript will run in the operator\u2019s browser. The exposed weakness is a classic XSS flaw (CWE\u201179) that compromises the confidentiality, integrity, and availability of the operator\u2019s session and can be used for credential theft or persistence. The impact is limited to the browser context of the operator but can lead to significant damage if the operator has administrative access to the Home Assistant instance.", "risk_and_exploitability": "The CVSS v3 base score is 6.8, indicating a medium\u2011to\u2011high severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog. Attackers would need network or Web access to the OAuth endpoint and the ability to influence the server operator to visit a crafted URL. The flaw is publicly documented and remains unaddressed until the operator updates the software."}}}}, "created": "2026-03-12T09:55:58.001952+00:00", "updated": "2026-03-20T15:37:05.348899+00:00", "vendors": ["homeassistant-ai", "homeassistant-ai$PRODUCT$ha-mcp"]}