HIGH🇬🇧 English

CVE-2026-25536

CVSS 7.1v3.1pub. 2026-02-04upd. 2026-06-30

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
  • Lfprojects Mcp Typescript Sdk

    APP
    Lfprojects
    1.10.0 – 1.26.0 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-0621HIGH8.7ten sam produkt

Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of serv...

CVE-2025-66414HIGH7.6ten sam produkt

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.2...

CVE-2026-2651CRITICAL9.0PL ✓ten sam vendor

MLflow: nieautoryzowany dostęp do endpointów multipart upload (RCE)

CVE-2026-2611CRITICAL9.6PL ✓ten sam vendor

MLflow: nieprawidłowa walidacja origin umożliwia RCE przez cross-origin request

CVE-2026-0545CRITICAL9.8PL ✓ten sam vendor

Brak uwierzytelnienia w endpointach FastAPI jobs w MLflow (Auth Bypass / RCE)