Skills
MCP 30 CVEs in 60 Days: 82% of Implementations Vulnerable to Path Traversal, 38% Have Zero Authentication
Between January and February 2026, security researchers filed 30+ CVEs against MCP servers, clients, and infrastructure — including a CVSS 9.6 RCE in a package with nearly 500K downloads. A survey of 2,614 MCP implementations found 82% vulnerable to path traversal via file operations, two-thirds have code injection risk, and 38% of 500+ scanned servers completely lack authentication. Root causes are missing input validation and blind trust in tool descriptions, not exotic zero-days.
Source
↳ Follow the thread