Description
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the public catalogue UI served at GET / (file internal/api/handlers/v0/ui_index.html) is vulnerable to stored cross-site scripting via the server.websiteUrl field of any published server.json. Server-side validation in internal/validators/validators.go (validateWebsiteURL) only checks that the URL parses, is absolute, and uses the https scheme; it does not reject quote characters. Client-side, the value is interpolated into a double-quoted href attribute via innerHTML, using a homegrown escapeHtml helper that performs the standard textContent → innerHTML round-trip. Per the HTML serialisation algorithm, that round-trip encodes only &, <, > and U+00A0 inside text nodes — it does not encode " or '. A literal " in websiteUrl therefore breaks out of the href attribute, allowing arbitrary on* event handlers to be appended to the same <a> element. The Content-Security-Policy on / is script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com, so the injected event handlers execute. Any user able to obtain a publish token (e.g. via POST /v0/auth/github-at with their own GitHub account, or POST /v0/auth/none on a deployment that has anonymous auth enabled) can plant a poisoned record visible to every visitor of the registry homepage. This vulnerability is fixed in 1.7.7.
Published: 2026-05-14
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MCP Registry’s public catalogue UI (GET /) is vulnerable to stored cross‑site scripting. An attacker who can supply a publish token can create a malicious server.json record that sets the websiteUrl field to a string containing a double quote and an arbitrary JavaScript event handler. Because the server validates only that the string is an absolute https URL and the client inserts the value into an href attribute via innerHTML without encoding double quotes, the payload breaks out of the attribute and executes in the victim’s browser. The injected handler runs with the page’s context, allowing the attacker to steal session cookies, modify page content, or perform any JavaScript action on the registry homepage. This flaw is categorized as CWE‑79 and CWE‑116.

Affected Systems

The vulnerability affects the modelcontextprotocol:registry product, specifically all releases earlier than version 1.7.7. Any deployment of the MCP Registry that has not yet applied the 1.7.7 fix is susceptible to this stored XSS. The issue exists in the catalogue UI served at the root path and in the server‑side validation logic for the websiteUrl field.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity overall, but the lack of an EPSS score and absence from the CISA KEV catalog does not diminish its potential impact. An attacker can achieve exploitation simply by publishing a spurious server record, which is trivial once a publish token is obtained—through a GitHub OAuth flow or an anonymous auth endpoint. All users who visit the registry homepage become exposed to the malicious payload, leading to a widespread but browser‑specific attack surface. The best mitigation is to upgrade to 1.7.7 or newer, but publishers should also reduce the attacker’s ability to supply arbitrary websiteUrl data by enforcing stricter authentication and server‑side validation.

Generated by OpenCVE AI on May 14, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MCP Registry to version 1.7.7 or newer.
  • Verify and remove any server.json entries containing malicious or untrusted websiteUrl values until the upgrade is applied.
  • Limit publish access by requiring authenticated accounts and disabling anonymous authentication to prevent attackers from creating poisoned records.
  • Update the server‑side validation to reject quote characters in the websiteUrl field prevent future exploitation.

Generated by OpenCVE AI on May 14, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rqv2-m695-f8j4 MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl`
History

Fri, 15 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mcp Registry
CPEs cpe:2.3:a:lfprojects:mcp_registry:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mcp Registry
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the public catalogue UI served at GET / (file internal/api/handlers/v0/ui_index.html) is vulnerable to stored cross-site scripting via the server.websiteUrl field of any published server.json. Server-side validation in internal/validators/validators.go (validateWebsiteURL) only checks that the URL parses, is absolute, and uses the https scheme; it does not reject quote characters. Client-side, the value is interpolated into a double-quoted href attribute via innerHTML, using a homegrown escapeHtml helper that performs the standard textContent → innerHTML round-trip. Per the HTML serialisation algorithm, that round-trip encodes only &, <, > and U+00A0 inside text nodes — it does not encode " or '. A literal " in websiteUrl therefore breaks out of the href attribute, allowing arbitrary on* event handlers to be appended to the same <a> element. The Content-Security-Policy on / is script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com, so the injected event handlers execute. Any user able to obtain a publish token (e.g. via POST /v0/auth/github-at with their own GitHub account, or POST /v0/auth/none on a deployment that has anonymous auth enabled) can plant a poisoned record visible to every visitor of the registry homepage. This vulnerability is fixed in 1.7.7.
Title MCP Registry: Stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl`
Weaknesses CWE-116
CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L'}

Subscriptions

Lfprojects Mcp Registry
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T14:20:27.564Z

Reserved: 2026-05-06T14:40:00.954Z

Link: CVE-2026-44429

cve-icon Vulnrichment

Updated: 2026-05-15T14:20:18.373Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T21:16:46.677

Modified: 2026-05-15T17:52:27.937

Link: CVE-2026-44429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T22:30:25Z

Weaknesses