Vibe Coding
Pattern: MCP Security Debt Accelerates — Oracle, nginx-ui, code-mcp CVEs in Single Month While Ecosystem Passes 7,000 Servers
May 2026 produced three MCP-related CVEs (Oracle SQL injection, nginx-ui CVSS 9.8 full takeover, code-mcp command injection) while OX Security documented a systemic RCE flaw affecting 7,000+ publicly accessible servers and packages with 150M+ downloads. Adversa AI published a May 2026 MCP security resource roundup acknowledging the audit gap. Anthropic has declined to modify the protocol architecture, stating the behavior is 'expected.' For builders: audit every MCP server you connect to — the ecosystem is growing faster than anyone can vet, and each server is a potential command injection surface.
Source
↳ Follow the thread