Security: modelcontextprotocol/registry
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
OCI validator skips ownership check on upstream rate limitsGHSA-2v5f-5r6w-p67r published
May 12, 2026 by rdimitrovLow -
Unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlistGHSA-r48c-v28r-pf6v published
May 4, 2026 by rdimitrovModerate -
Stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl`GHSA-rqv2-m695-f8j4 published
May 4, 2026 by rdimitrovModerate -
Open redirect via protocol-relative path in trailing-slash middlewareGHSA-v8vw-gw5j-w7m6 published
May 4, 2026 by rdimitrovLow -
GitHub OIDC tokens replayable across registry deployments due to shared audienceGHSA-95c3-6vvw-4mrq published
May 4, 2026 by rdimitrovLow