https://feed.craftedsignal.io/tags/cross-site-request-forgery/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 24 Mar 2026 00:16:30 +0000https://feed.craftedsignal.io/briefs/2024-01-01-go-mcp-cve/Tue, 24 Mar 2026 00:16:30 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-01-go-mcp-cve/The Go MCP SDK before v1.4.1 is vulnerable to cross-site POST requests due to insufficient origin validation and content type enforcement, potentially leading to arbitrary tool execution on local servers in stateless or sessionless deployments.The Go MCP SDK, utilizing Go’s standard encoding/json, was found to have a vulnerability related to cross-site request handling. Specifically, versions prior to 1.4.1 of the SDK’s Streamable HTTP transport accepted browser-generated cross-site POST requests without proper validation. The absence of Origin header validation and the lack of a requirement for Content-Type: application/json created a security gap. In deployments lacking robust authorization mechanisms, particularly those…

]]>highadvisorycve-2026-33252cross-site request forgerygo-mcp-sdk