Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

10 advisories

Loading
MCP Registry's GitHub OIDC tokens are replayable across registry deployments due to shared audience Low
CVE-2026-44428 was published for github.com/modelcontextprotocol/registry (Go) May 8, 2026
FORIMOC Credited to FORIMOC, Yuremin, and rdimitrov Yuremin Yuremin
rdimitrov rdimitrov
Go-tuf Improperly handles multiple key IDs for the same public keys in attacker-controlled metadata Low
GHSA-3633-5h82-39pq was published for github.com/theupdateframework/go-tuf (Go) Sep 16, 2022
cedricvanrompay-datadog Credited to cedricvanrompay-datadog, 0xVijay, kommendorkapten, and rdimitrov 0xVijay 0xVijay
kommendorkapten kommendorkapten rdimitrov rdimitrov
MCP Registry: OCI validator skips ownership check on upstream rate limits Low
CVE-2026-45781 was published for github.com/modelcontextprotocol/registry (Go) May 19, 2026
rdimitrov Credited to rdimitrov
MCP Registry has open redirect via protocol-relative path in trailing-slash middleware Moderate
CVE-2026-44427 was published for github.com/modelcontextprotocol/registry (Go) May 8, 2026
gujasec Credited to gujasec and rdimitrov rdimitrov rdimitrov
MCP Registry has an unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist Moderate
CVE-2026-44430 was published for github.com/modelcontextprotocol/registry (Go) May 8, 2026
matte1782 Credited to matte1782 and rdimitrov rdimitrov rdimitrov
MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl` Moderate
CVE-2026-44429 was published for github.com/modelcontextprotocol/registry (Go) May 8, 2026
JosephDoUrden Credited to JosephDoUrden and rdimitrov rdimitrov rdimitrov
go-tuf Path Traversal in TAP 4 Multirepo Client Allows Arbitrary File Write via Malicious Repository Names Moderate
CVE-2026-24686 was published for github.com/theupdateframework/go-tuf/v2 (Go) Jan 26, 2026
1seal Credited to 1seal, rdimitrov, and kommendorkapten rdimitrov rdimitrov
kommendorkapten kommendorkapten
go-tuf improperly validates the configured threshold for delegations Moderate
CVE-2026-23992 was published for github.com/theupdateframework/go-tuf/v2 (Go) Jan 21, 2026
1seal Credited to 1seal, kommendorkapten, and rdimitrov kommendorkapten kommendorkapten
rdimitrov rdimitrov
go-tuf affected by client DoS via malformed server response Moderate
CVE-2026-23991 was published for github.com/theupdateframework/go-tuf/v2 (Go) Jan 21, 2026
1seal Credited to 1seal, kommendorkapten, and rdimitrov kommendorkapten kommendorkapten
rdimitrov rdimitrov
Improper Validation of Integrity Check Value in go-tuf High
CVE-2022-29173 was published for github.com/theupdateframework/go-tuf (Go) May 24, 2022
rdimitrov Credited to rdimitrov
ProTip! Advisories are also available from the GraphQL API