VYPR

Mcp Go SDK

by Mlflow

Source repositories

CVEs (3)

  • CVE-2026-34742HigApr 2, 2026
    risk 0.46cvss 8.1epss 0.00

    The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with…

  • CVE-2026-27896HigFeb 26, 2026
    risk 0.42cvss 7.5epss 0.00

    The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match…

  • CVE-2026-33252HigMar 24, 2026
    risk 0.39cvss 7.1epss 0.00

    The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments…