VYPR

Fastmcp

by Jlowin

pypi: fastmcp

Source repositories

CVEs (6)

  • CVE-2026-32871CriApr 2, 2026
    risk 0.58cvss 10.0epss 0.01

    FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend…

  • CVE-2025-64340MedApr 3, 2026
    risk 0.37cvss 6.7epss 0.01

    FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths…

  • CVE-2026-27124MedApr 3, 2026
    risk 0.33cvss 6.1epss 0.00

    FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP…

  • CVE-2025-69196Mar 16, 2026
    risk 0.00cvss epss 0.00

    FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the…

  • CVE-2025-62801Oct 28, 2025
    risk 0.00cvss epss 0.00

    FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor. This…

  • CVE-2025-62800Oct 28, 2025
    risk 0.00cvss epss 0.00

    FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page (oauth_callback.py) where unescaped user-controlled values are inserted into the generated HTML,…