CVE-2026-34742
- EPSS 0.08%
- Veröffentlicht 02.04.2026 18:32:34
- Zuletzt bearbeitet 03.04.2026 19:48:25
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without aut...
CVE-2026-33252
- EPSS 0.01%
- Veröffentlicht 23.03.2026 23:44:16
- Zuletzt bearbeitet 15.04.2026 16:33:12
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: applicat...
CVE-2026-27896
- EPSS 0.05%
- Veröffentlicht 26.02.2026 00:47:46
- Zuletzt bearbeitet 14.04.2026 00:40:00
The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"meth...