Electron

MCP SVG Icon Injection: From XSS to RCE Through the Protocol Spec

15 February 2026·10 mins

Vulnerability Research Bug Bounty Mcp Xss RCE Svg Electron Vulnerability-Research Responsible-Disclosure Bug-Bounty

A deep dive into a protocol-level vulnerability in the Model Context Protocol (MCP) specification where malicious SVG icons delivered via data: URIs can escalate from XSS to full RCE on Electron clients. Reported to Anthropic VDP, closed as Informative. Disclosed here with full technical details.

↑