The MCP Registry serves a list of MCP servers through a public catalogue UI vulnerable to stored XSS via the server.websiteUrl field in published server.json files. Server-side validation (validateWebsiteURL) ensures URLs parse correctly, are absolute, and use HTTPS, but does not reject quote characters. Client-side, the URL is inserted into a double-quoted href attribute using an escapeHtml helper that only encodes &, <, >, and U+00A0, leaving quotes unencoded. This allows a crafted " character to break out of the href attribute and inject arbitrary on* event handlers, which execute due to the Content-Security-Policy allowing 'unsafe-inline' scripts. Any user with a publish token (e.g., authenticated via GitHub or anonymous auth if enabled) can inject malicious records visible to all visitors. The issue is resolved in MCP Registry version 1.7.7.

An attacker with publish token access can inject malicious JavaScript into the MCP Registry homepage visible to all users, potentially leading to session hijacking, credential theft, or other client-side attacks. The vulnerability requires at least low privileges (publish token) and user interaction (visiting the homepage). The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, and limited privileges required.

This vulnerability is fixed in modelcontextprotocol registry version 1.7.7. Users should upgrade to version 1.7.7 or later to remediate this issue. No official patch or temporary fix is indicated beyond upgrading. If upgrading is not immediately possible, restrict or monitor publish token issuance to trusted users to reduce risk. Patch status is not explicitly stated but the fix is confirmed in version 1.7.7.