Lucene search
K

5 matches found

CVE
CVE
added 2026/04/02 6:32 p.m.19 views

CVE-2026-34742

The CVE-2026-34742 entry concerns the Model Context Protocol (MCP) Go SDK. Prior to version 1.4.0, an HTTP-based MCP server running on localhost without authentication did not enable DNS rebinding protection by default, allowing a malicious website to bypass same-origin policy and send requests t...

8.1CVSS5.8AI score0.00455EPSS
Exploits0References8Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/23 11:44 p.m.4 views

CVE-2026-33252 MCP Go SDK Allows Cross-Site Tool Execution for HTTP Servers without Authorizatrion

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization,...

7.1CVSS5.8AI score0.00178EPSS
Exploits0References2
OSV
OSV
added 2026/03/10 6:28 p.m.7 views

GO-2026-4569 MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity in github.com/modelcontextprotocol/go-sdk

MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity in github.com/modelcontextprotocol/go-sdk...

7.5CVSS5.8AI score0.00255EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/02/26 10:20 p.m.10 views

MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc. Additionally, Go's standard...

7.5CVSS5.4AI score0.00255EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/02/26 12:47 a.m.22 views

CVE-2026-27896 MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc...

7CVSS0.00255EPSS
Exploits0References2
Rows per page
Query Builder