Package impact
GO / github.com/modelcontextprotocol/registry
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44427 | medium | — | 5.5 | 20d ago | MCP Registry has open redirect via protocol-relative path in trailing-slash middleware | |||
| CVE-2026-44429 | medium | 5.4 | 5.4 | 21d ago | MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl` | |||
| CVE-2026-44428 | medium | 4.7 | 4.7 | 20d ago | MCP Registry's GitHub OIDC tokens are replayable across registry deployments due to shared audience | |||
| CVE-2026-44430 | medium | 4.0 | 4.0 | 21d ago | MCP Registry has an unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist | |||
| CVE-2026-45781 | low | 3.5 | 3.5 | 21d ago | MCP Registry: OCI validator skips ownership check on upstream rate limits |