Burp Suite MCP by PortSwigger

v1.1.3 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 22d MCP Security & Auth

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

extension

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Light signal

editorial:auto 13d

Burp Suite v1.1.3 rejects comma-injected hostnames in auto-approve lists by changing the delimiter from comma to newline, and prunes invalid entries on startup.

Why it matters: Comma injection in auto-approve lists is now blocked via newline delimiters. Test existing configurations in dev before production upgrade; invalid entries auto-prune on startup.

Summary

AI summary

Rejects comma‑injected hostnames by changing the auto‑approve delimiter to newline.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Rejects comma-injected hostnames in auto-approve list. Rejects comma-injected hostnames in auto-approve list. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Invalid entries pruned from persisted auto-approve list on startup. Invalid entries pruned from persisted auto-approve list on startup. Source: llm_adapter@2026-05-21 Confidence: high	—
Refactor	Medium	Bare IPv6 addresses validated via InetAddress. Bare IPv6 addresses validated via InetAddress. Source: llm_adapter@2026-05-21 Confidence: low	—
Refactor	Medium	Changes delimiter from comma to newline for auto-approve targets. Changes delimiter from comma to newline for auto-approve targets. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—

Full changelog

Security fix: reject comma-injected hostnames in auto-approve list.

Changed auto-approve target delimiter from comma to newline to prevent injection attacks
Invalid entries are pruned from the persisted list on startup
Bare IPv6 addresses are now validated via InetAddress

Breaking Changes

Changed auto‑approve target delimiter from comma to newline

Security Fixes

Rejects comma‑injected hostnames in the auto‑approve list, preventing injection attacks

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Burp Suite MCP by PortSwigger

Get notified when new releases ship.

About Burp Suite MCP by PortSwigger

MCP Server for Burp

All releases →