| CVE |
Severity |
CVSS |
Risk |
Published |
Description |
Impact |
| CVE-2026-44427 |
medium |
— |
5.5 |
13d ago |
MCP Registry has open redirect via protocol-relative path in trailing-slash middleware |
|
| CVE-2026-44429 |
medium |
5.4 |
5.4 |
13d ago |
MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl` |
|
| CVE-2026-44428 |
medium |
4.7 |
4.7 |
13d ago |
MCP Registry's GitHub OIDC tokens are replayable across registry deployments due to shared audience |
|
| CVE-2026-44430 |
medium |
4.0 |
4.0 |
13d ago |
MCP Registry has an unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist |
|