Security scan of 19 popular MCP servers uncovers real CVEs
A static scanner across 19 top GitHub MCP servers produced 862 findings — nearly all false positives — while the most dangerous real-world MCP exploits of 2026 came from categories static analysis can't touch.
Score breakdown
Author Pico (Dev.to) built a 14-pattern static vulnerability scanner across 7 categories and ran it against 19 popular MCP servers on GitHub, generating 862 findings. After manual triage, the vast majority were false positives — eight repos scored a perfect 100/100, yet none had a CRITICAL vulnerability in production code. The one confirmed CVSS 8.8 SQL injection (in `mcp-server-mysql`) scored only 73, and four vulnerabilities in `sooperset/mcp-atlassian` were independently targeted by active exploits. Meanwhile, the most severe 2026 MCP compromises — including a CVSS 9.8 nginx takeover affecting 2,600+ instances — lived entirely outside static analysis reach.
Pico (Dev.to) built a static vulnerability scanner using regex-based pattern matching across 14 signatures in 7 categories — shell injection, path traversal, SSRF, SQL injection, configuration theater, missing authentication, and hardcoded secrets — and scanned 19 of the most popular MCP servers on GitHub. The tool produces a weighted risk score from 0 to 100 and classifies findings as CRITICAL, HIGH, MEDIUM, or LOW. Across all 19 repos, it surfaced 862 findings. After thorough manual triage, the overwhelming majority were false positives: test fixtures, bundled driver internals, and parser-generated code were repeatedly misidentified as production vulnerabilities. Eight repositories scored 100/100; none contained a confirmed CRITICAL issue in runtime code.
A disclosure advisory (GHSA-2gc7-7mj4-79wg) was filed April 6 with no maintainer response; full public disclosure followed after 7 days.
The one verified high-severity issue — a CVSS 8.8 SQL injection in `executeautomation/mcp-database-server` (scored 73) — stemmed from `multipleStatements: true` with only a `startsWith("SELECT")` prefix check as a defense, trivially bypassed with payloads like `SELECT 1; DROP TABLE users; --`. A disclosure advisory (GHSA-2gc7-7mj4-79wg) was filed April 6 with no maintainer response; full public disclosure followed after 7 days. The same root cause was previously reported in the repo's PostgreSQL adapter as CVE-2025-59333 (CVSS 8.1) by Liran Tal. `sooperset/mcp-atlassian` (4,400+ stars) carried four real vulnerabilities: two HIGH-severity SSRFs via unvalidated `icon_url` and attachment URLs, a MEDIUM JQL injection, and a MEDIUM stored XSS — the same server independently hit by MCPwnfluence (CVE-2026-27825/27826).
The article's central argument is that the most dangerous MCP threats of 2026 are invisible to static analysis. MCPwn (CVE-2026-33032, CVSS 9.8) achieved full nginx takeover across 2,600+ instances with just two unauthenticated HTTP requests. MCPwnfluence chained SSRF and file write into unauthenticated RCE. Ox Security's STDIO injection class covered 10+ CVEs, ~200K vulnerable instances, and 150M downloads, spanning transport manipulation and prompt injection vectors. The research frames static scanning as useful for triage but warns that single-maintainer packages bridging AI agents to enterprise infrastructure represent a systemic risk that no regex can detect.