Vulnerability Database

321,672

Total vulnerabilities in the database

CVE-2026-25536

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0.

Published: Feb 4, 2026
Updated: Feb 5, 2026
CVE: CVE-2026-25536
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.1
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWEs:

CWE-362

Affected Software
References

No affected software listed.

https://github.com/modelcontextprotocol/typescript-sdk/issues/204
https://github.com/modelcontextprotocol/typescript-sdk/issues/243
https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo