2 matches found
EUVD-2026-30487
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the public catalogue UI served at GET / file internal/api/handlers/v0/uiindex.html is vulnerable to stored cross-site scripting via the server.websiteUrl field of any published...
CVE-2026-44429
CVE-2026-44429 pertains to the MCP Registry. Before 1.7.7, the public catalogue UI at GET / is vulnerable to stored XSS via the server.websiteUrl field in published server.json. Server-side validation (validateWebsiteURL) only checks parsing, absoluteness, and https scheme; it does not reject quo...