MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled websiteUrl in github.com/modelcontextprotocol/registry
{
"review_status": "UNREVIEWED",
"url": "https://pkg.go.dev/vuln/GO-2026-5637"
}