XSS in Jlowin Fastmcp

CVE-2025-62800

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page (oauth_callback.py) where unescaped user-controlled values are…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (18.8th percentile) — read the EPSS interpretation.