Support Us — Your donation helps us keep running

Goal: 1000 CNY,Raised: 1000 CNY

100.0%
Donate Now

modelcontextprotocol — Vulnerabilities & Security Advisories 19

Browse all 19 CVE security advisories affecting modelcontextprotocol. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top 10 Products modelcontextprotocol:serverspython-sdkgo-sdkinspectortypescript-sdkjava-sdkruby-sdk
CVE IDTitleCVSSSeverityPaused
CVE-2026-35568 MCP Java-SDK has a DNS Rebinding Vulnerability — java-sdkCWE-346 6.3AIMediumAI2026-04-07
CVE-2026-34742 Model Context Protocol Go SDK: DNS Rebinding Protection Disabled by Default for Servers Running on Localhost — go-sdkCWE-1188 7.1AIHighAI2026-04-02
CVE-2026-34237 MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *) — java-sdkCWE-942 6.1 Medium2026-03-31
CVE-2026-33946 MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay — ruby-sdkCWE-384 8.2 -2026-03-27
CVE-2026-33252 MCP Go SDK Allows Cross-Site Tool Execution for HTTP Servers without Authorizatrion — go-sdkCWE-352 7.1 High2026-03-23
CVE-2026-27896 MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity — go-sdkCWE-178 9.1AICriticalAI2026-02-26
CVE-2026-27735 mcp-server-git : Path traversal in git_add allows staging files outside repository boundaries — serversCWE-22 8.6AIHighAI2026-02-25
CVE-2026-25536 @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse — typescript-sdkCWE-362 7.1 High2026-02-04
CVE-2025-68145 mcp-server-git has missing path validation when using --repository flag — serversCWE-22 9.8AICriticalAI2025-12-17
CVE-2025-68144 mcp-server-git argument injection in git_diff and git_checkout functions allows overwriting local files — serversCWE-88 9.1AICriticalAI2025-12-17
CVE-2025-68143 mcp-server-git's unrestricted git_init tool allows repository creation at arbitrary filesystem locations — serversCWE-22 9.1AICriticalAI2025-12-17
CVE-2025-66416 DNS Rebinding Protection Disabled by Default in Model Context Protocol Python SDK for Servers Running on Localhost — python-sdkCWE-1188 7.1 -2025-12-02
CVE-2025-66414 DNS Rebinding Protection Disabled by Default in Model Context Protocol TypeScript SDK for Servers Running on Localhost — typescript-sdkCWE-1188 7.5AIHighAI2025-12-02
CVE-2025-58444 MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server — inspectorCWE-84 6.1AIMediumAI2025-09-08
CVE-2025-53366 MCP SDK Vulnerable to FastMCP Server Validation Error, Leading to Denial of Service — python-sdkCWE-248 7.5 -2025-07-04
CVE-2025-53365 MCP Python SDK has Unhandled Exception in Streamable HTTP Transport ,Leading to Denial of Service — python-sdkCWE-248 7.5 -2025-07-04
CVE-2025-53109 Model Context Protocol Servers Vulnerable to Path Validation Bypass via Prefix Matching and Symlink Handling — serversCWE-59 4.3AIMediumAI2025-07-02
CVE-2025-53110 Model Context Protocol Servers Vulnerable to Path Validation Bypass via Colliding Path Prefix — serversCWE-22 7.5AIHighAI2025-07-02
CVE-2025-49596 MCP Inspector proxy server lacks authentication between the Inspector client and proxy — inspectorCWE-306 9.8AICriticalAI2025-06-13

This page lists every published CVE security advisory associated with modelcontextprotocol. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.