Bubba AI, Inc. 2261 Market Street, San Francisco, California, 94114 Finding Title: Missing Content Security Policy (CSP) (Closed) Severity: (CVSS3.1): 3.7 ( Low ) Description: The issue occurs when the application does not implement a Content Security Policy (CSP). This allows an attacker to inject malicious scripts or other content into web pages, potentially leading to cross-site scripting (XSS) attacks, data theft, or session hijacking. Exploitation requires the attacker to have the ability to convince a user to visit a vulnerable page, making exploitation moderately difficult . An attacker can exploit this by crafting malicious scripts that the browser executes due to the lack of CSP. Successful exploitation could result in sensitive information exposure, user session compromise, and reputational damage. Risk:  No restrictions on which scripts, styles, or resources can be loaded .  Increased risk of cross-site scripting (XSS) .  Potential data leakage via injected content .  Users may be exposed to phishing or malicious scripts .  Reduces defense-in-depth for client-side security .