{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "golang.org/x/crypto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.45.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47914"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-19T23:16:40Z",
    "nvd_published_at": "2025-11-19T21:15:50Z",
    "severity": "MODERATE"
  },
  "details": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.",
  "id": "GHSA-f6x5-jh6r-wrfv",
  "modified": "2025-11-20T16:35:18Z",
  "published": "2025-11-19T23:16:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47914"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/cl/721960"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/issue/76364"
    },
    {
      "type": "WEB",
      "url": "https://go.googlesource.com/crypto"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-4135"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read"
}

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.17.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-git/go-git/v5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.17.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-129"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-30T17:05:23Z",
    "nvd_published_at": "2026-03-31T15:16:15Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\n`go-git`\u2019s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.\n\nThis issue only affects Git index format version 4. Earlier formats (`go-git` supports only `v2` and `v3`) are not vulnerable to this issue.\n\nAn attacker able to supply a crafted `.git/index` file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.\n\nExploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the `.git` directory.\n\n### Patches\n\nUsers should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability.\n\n### Credit\n\ngo-git maintainers thank @kq5y for finding and reporting this issue privately to the `go-git` project.",
  "id": "GHSA-gm2x-2g9h-ccm8",
  "modified": "2026-03-31T18:50:23Z",
  "published": "2026-03-30T17:05:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33762"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-git/go-git"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-git/go-git/releases/tag/v5.17.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "go-git missing validation decoding Index v4 files leads to panic"
}

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "golang.org/x/crypto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.45.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58181"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-19T23:01:20Z",
    "nvd_published_at": "2025-11-19T21:15:50Z",
    "severity": "MODERATE"
  },
  "details": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
  "id": "GHSA-j5w8-q4qc-rx2x",
  "modified": "2025-11-19T23:01:20Z",
  "published": "2025-11-19T23:01:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58181"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/cl/721961"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/issue/76363"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-4134"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption"
}

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.17.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-git/go-git/v5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.17.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34165"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-30T17:17:54Z",
    "nvd_published_at": "2026-03-31T15:16:17Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition.\n\nExploitation requires write access to the local repository\u0027s `.git` directory, it order to create or alter existing `.idx` files. \n\n### Patches\n\nUsers should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability.\n\n### Credit\n\nThe go-git maintainers thank @kq5y for finding and reporting this issue privately to the `go-git` project.",
  "id": "GHSA-jhf3-xxhw-2wpp",
  "modified": "2026-03-31T18:50:40Z",
  "published": "2026-03-30T17:17:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34165"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-git/go-git"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-git/go-git/releases/tag/v5.17.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "go-git: Maliciously crafted idx file can cause asymmetric memory consumption"
}

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/docker/cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.03.0"
            },
            {
              "fixed": "29.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-15558"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T00:10:40Z",
    "nvd_published_at": "2026-03-04T17:16:14Z",
    "severity": "HIGH"
  },
  "details": "This issue affects Docker CLI through 29.1.5\n\n### Impact\n\nDocker CLI for Windows searches for plugin binaries in `C:\\ProgramData\\Docker\\cli-plugins`, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the `docker` CLI is executed as a privileged user.\n\nThis issue affects Docker CLI through v29.1.5 (fixed in v29.2.0). It impacts Windows binaries acting as a CLI plugin manager via the [`github.com/docker/cli/cli-plugins/manager`](https://pkg.go.dev/github.com/docker/cli@v29.1.5+incompatible/cli-plugins/manager) package, which is consumed by downstream projects such as Docker Compose.\n\nDocker Compose became affected starting in v2.31.0, when it incorporated the relevant CLI plugin manager code (see https://github.com/docker/compose/pull/12300), and is fixed in v5.1.0.\n\nThis issue does not impact non-Windows binaries or projects that do not use the plugin manager code.\n\n### Patches\n\nFixed version starts with 29.2.0\n\nThis issue was fixed in https://github.com/docker/cli/commit/13759330b1f7e7cb0d67047ea42c5482548ba7fa (https://github.com/docker/cli/pull/6713), which removed `%PROGRAMDATA%\\Docker\\cli-plugins` from the list of paths used for plugin-discovery on Windows.\n\n### Workarounds\n\nNone\n\n### Resources\n\n- Pull request: \"cli-plugins/manager: remove legacy system-wide cli-plugin path\" (https://github.com/docker/cli/pull/6713)\n- Patch: https://github.com/docker/cli/commit/13759330b1f7e7cb0d67047ea42c5482548ba7fa.patch\n\n### Credits\n\nNitesh Surana (niteshsurana.com) of Trend Research of TrendAI",
  "id": "GHSA-p436-gjf2-799p",
  "modified": "2026-03-31T14:21:14Z",
  "published": "2026-03-05T00:10:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/docker/cli/security/advisories/GHSA-p436-gjf2-799p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15558"
    },
    {
      "type": "WEB",
      "url": "https://github.com/docker/cli/pull/6713"
    },
    {
      "type": "WEB",
      "url": "https://github.com/docker/compose/pull/12300"
    },
    {
      "type": "WEB",
      "url": "https://github.com/docker/cli/commit/13759330b1f7e7cb0d67047ea42c5482548ba7fa"
    },
    {
      "type": "WEB",
      "url": "https://docs.docker.com/desktop/release-notes"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/docker/cli"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-28304"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows"
}

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.4.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/modelcontextprotocol/go-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T12:44:07Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The Go SDK recently transitioned to the `segmentio/encoding` library for JSON parsing in version 1.3.1. While this change addressed both case-insensitivity and ASCII folding issues, the new parser implemented aggressive key matching that treated keys with `null` Unicode characters appended at the end as equivalent to their base strings.\n\n#### Impact\n\nWhen combined with duplicate keys, the described behavior leads to a \"last key wins\" resolution that could override the intended MCP message. This had the potential for:\n  - **Bypassing intermediary inspection:** Proxies or policy layers that matched on exact field names may have failed to detect or filter these messages.\n  - **Cross-implementation inconsistency:** Other MCP SDKs (TypeScript, Python) use case-sensitive parsing and would reject the same messages, creating potential security-boundary confusion.\n\n####  Fix:\n\nThe `segmentio/encoding` package was patched with a fix in https://github.com/segmentio/encoding/commit/7d5a25dbc5da13aed3cb047a127e4d0e96f536fb and a new version of the package was released (`v0.5.4`). The SDK switched to the patched version of the dependency in 724dd47aa. Users are advised to update to v1.4.1 to resolve this issue.\n\n#### Credits:\nThank you to Francesco Lacerenza (Doyensec) for reporting this issue.",
  "id": "GHSA-q382-vc8q-7jhj",
  "modified": "2026-03-19T12:44:07Z",
  "published": "2026-03-19T12:44:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-q382-vc8q-7jhj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/go-sdk/commit/724dd47aa3431b9d4cf9ac2eebbf7b38a629afca"
    },
    {
      "type": "WEB",
      "url": "https://github.com/segmentio/encoding/commit/7d5a25dbc5da13aed3cb047a127e4d0e96f536fb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/modelcontextprotocol/go-sdk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk"
}

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cloudflare/circl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-1229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-682"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T19:17:50Z",
    "nvd_published_at": "2026-02-24T08:16:28Z",
    "severity": "LOW"
  },
  "details": "The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\nECDH and ECDSA signing relying on this curve are not affected.\n\nThe bug was fixed in **[v1.6.3](https://github.com/cloudflare/circl/releases/tag/v1.6.3)**.",
  "id": "GHSA-q9hv-hpm4-hj6x",
  "modified": "2026-02-25T19:17:50Z",
  "published": "2026-02-25T19:17:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/circl/security/advisories/GHSA-q9hv-hpm4-hj6x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1229"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/circl/pull/583"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudflare/circl"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/circl/releases/tag/v1.6.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CIRCL has an incorrect calculation in secp384r1 CombinedMult"
}

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/modelcontextprotocol/go-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-178",
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-26T22:20:08Z",
    "nvd_published_at": "2026-02-26T01:16:25Z",
    "severity": "HIGH"
  },
  "details": "The Go MCP SDK used Go\u0027s standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing. Go\u0027s standard library performs case-insensitive matching of JSON keys to struct field tags \u2014 a field tagged json:\"method\" would also match \"Method\", \"METHOD\", etc. Additionally, Go\u0027s standard library folds the Unicode characters \u017f (U+017F) and K (U+212A) to their ASCII equivalents s and k, meaning fields like \"param\u017f\" would match \"params\". This violated the JSON-RPC 2.0 specification, which defines exact field names.\n\n#### Impact:\n\nA malicious MCP peer may have been able to send protocol messages with non-standard field casing (e.g., \"Method\" instead of \"method\") that the SDK would silently accept. This had the potential for:\n  - **Bypassing intermediary inspection:** Proxies or policy layers that matched on exact field names may have failed to detect or filter these messages.\n  - **Cross-implementation inconsistency:** Other MCP SDKs (TypeScript, Python) use case-sensitive parsing and would reject the same messages, creating potential security-boundary confusion.\n\n####  Fix:\n\nGo\u0027s standard JSON unmarshaling was replaced with a case-sensitive decoder (github.com/segmentio/encoding) in commit 7b8d81c. Users are advised to update to v1.3.1 to resolve this issue.\n\n#### Credits:\nMCP Go SDK thanks Francesco Lacerenza (Doyensec) for reporting this issue.",
  "id": "GHSA-wvj2-96wp-fq3f",
  "modified": "2026-02-26T22:20:08Z",
  "published": "2026-02-26T22:20:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-wvj2-96wp-fq3f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27896"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/go-sdk/commit/7b8d81c264074404abdf5aa16e2cf0c2d9c64cc0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/modelcontextprotocol/go-sdk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity"
}

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/modelcontextprotocol/go-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34742"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:09:09Z",
    "nvd_published_at": "2026-04-02T19:21:33Z",
    "severity": "HIGH"
  },
  "details": "The Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with `StreamableHTTPHandler` or `SSEHandler`, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances.\n\nNote that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport.\n\nServers created via `StreamableHTTPHandler` or `SSEHandler` now have this protection enabled by default when binding to `localhost`. Users are advised to update to version `1.4.0` to receive this automatic protection.",
  "id": "GHSA-xw59-hvm2-8pj6",
  "modified": "2026-04-06T17:32:23Z",
  "published": "2026-04-01T21:09:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-xw59-hvm2-8pj6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34742"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/go-sdk/pull/760"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/go-sdk/commit/67bd3f2e2b53ce11a16db8d976cdb8ff1e986b6d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/modelcontextprotocol/go-sdk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/go-sdk/releases/tag/v1.4.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "DNS Rebinding Protection Disabled by Default in Model Context Protocol Go SDK for Servers Running on Localhost"
}