Package impact
GO / github.com/modelcontextprotocol/registry
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-44427 | medium | — | 5.5 | 14d ago | MCP Registry has open redirect via protocol-relative path in trailing-slash middleware | |
| CVE-2026-44429 | medium | 5.4 | 5.4 | 14d ago | MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl` | |
| CVE-2026-44428 | medium | 4.7 | 4.7 | 14d ago | MCP Registry's GitHub OIDC tokens are replayable across registry deployments due to shared audience | |
| CVE-2026-44430 | medium | 4.0 | 4.0 | 14d ago | MCP Registry has an unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist |