CVE-2026-34742
- EPSS 0.46%
- Veröffentlicht 02.04.2026 18:32:34
- Zuletzt bearbeitet 30.06.2026 03:18:57
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without aut...
CVE-2026-33252
- EPSS 0.18%
- Veröffentlicht 23.03.2026 23:44:16
- Zuletzt bearbeitet 15.04.2026 16:33:12
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: applicat...
CVE-2026-27896
- EPSS 0.26%
- Veröffentlicht 26.02.2026 00:47:46
- Zuletzt bearbeitet 30.06.2026 03:17:59
The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"meth...