Package Instance

Pydantic AI has Stored XSS via Path Traversal in Web UI CDN URL
A Path Traversal vulnerability in the [Pydantic AI web UI](https://ai.pydantic.dev/web/) allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling theft of chat history and other client-side data.

**This vulnerability only affects applications that use:**
- **`Agent.to_web`** to serve a chat interface
- **`clai web`** to serve a chat interface from the CLI

These are typically run locally (on `localhost`), but may also be deployed on a remote server.

Pydantic AI has Server-Side Request Forgery (SSRF) in URL Download Handling
A Server-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials.

**This vulnerability only affects applications that accept message history from external users**, such as those using:
- **`Agent.to_web`** or **`clai web`** to serve a chat interface
- **`VercelAIAdapter`** for Vercel AI SDK integration
- **`AGUIAdapter`** or **`Agent.to_ag_ui`** for AG-UI protocol integration
- Custom APIs that accept message history from user input

Applications that only use hardcoded or developer-controlled URLs are not affected.