The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the public catalogue UI served at GET / (file internal/api/handlers/v0/ui_index.html) is vulnerable to stored cross-site scripting via the server.websiteUrl field of any published server.json. Server-side validation in internal/validators/validators.go (validateWebsiteURL) only checks that the URL parses, is absolute, and uses the https scheme; it does not reject quote characters. Client-side, the value is interpolated into a double-quoted href attribute via innerHTML, using a homegrown escapeHtml helper that performs the standard textContent → innerHTML round-trip. Per the HTML serialisation algorithm, that round-trip encodes only &, <, > and U+00A0 inside text nodes — it does not encode " or '. A literal " in websiteUrl therefore breaks out of the href attribute, allowing arbitrary on* event handlers to be appended to the same <a> element. The Content-Security-Policy on / is script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com, so the injected event handlers execute. Any user able to obtain a publish token (e.g. via POST /v0/auth/github-at with their own GitHub account, or POST /v0/auth/none on a deployment that has anonymous auth enabled) can plant a poisoned record visible to every visitor of the registry homepage. This vulnerability is fixed in 1.7.7.
CVE-2026-44429 is a stored cross-site scripting vulnerability in MCP Registry versions prior to 1.7.7 affecting the public catalogue UI through improper validation of the server.websiteUrl field. The vulnerability allows attackers to inject malicious scripts by bypassing inadequate server-side URL validation and client-side HTML escaping mechanisms.
ثغرة XSS المخزنة في سجل MCP تؤثر على واجهة المستخدم للكتالوج العام قبل الإصدار 1.7.7. يفشل التحقق من صحة جانب الخادم في رفض أحرف الاقتباس في حقل websiteUrl، مما يسمح بكسر سمات HTML والحقن البرمجي. يمكن للمهاجمين إدراج رموز ضارة تُنفذ في متصفحات المستخدمين عند عرض قوائم الخوادم المنشورة.
This vulnerability affects MCP Registry versions before 1.7.7 where the public catalogue UI is susceptible to stored XSS attacks via the server.websiteUrl field. Attackers can inject malicious code that executes in users' browsers when viewing published server listings.
Upgrade MCP Registry to version 1.7.7 or later immediately. Implement strict server-side validation for websiteUrl that rejects quote characters and special characters. Use proper HTML entity encoding for all user-controlled data in HTML attributes. Apply Content Security Policy headers to prevent inline script execution. Conduct security audit of all published server entries for malicious URLs.
قم بترقية سجل MCP إلى الإصدار 1.7.7 أو أحدث فوراً. طبق التحقق الصارم من جانب الخادم لحقل websiteUrl الذي يرفض أحرف الاقتباس والأحرف الخاصة. استخدم ترميز كيانات HTML المناسب لجميع البيانات التي يتحكم بها المستخدم في سمات HTML. طبق رؤوس سياسة أمان المحتوى لمنع تنفيذ البرامج النصية المضمنة. أجرِ تدقيق أمني لجميع إدخالات الخادم المنشورة بحثاً عن عناوين URL ضارة.