Tag
The Go MCP SDK before v1.4.1 is vulnerable to cross-site POST requests due to insufficient origin validation and content type enforcement, potentially leading to arbitrary tool execution on local servers in stateless or sessionless deployments.