Security scan of 19 popular MCP servers uncovers real CVEs
A static scanner across 19 top GitHub MCP servers produced 862 findings — nearly all false positives — while the most dangerous real-world MCP exploits of 2026 came from categories static analysis can't touch.
Score breakdown
Author Pico (Dev.to) built a 14-pattern static vulnerability scanner across 7 categories and ran it against 19 popular MCP servers on GitHub, generating 862 findings. After manual triage, the vast majority were false positives — eight repos scored a perfect 100/100, yet none had a CRITICAL vulnerability in production code. The one confirmed CVSS 8.8 SQL injection (in `mcp-server-mysql`) scored only 73, and four vulnerabilities in `sooperset/mcp-atlassian` were independently targeted by active exploits. Meanwhile, the most severe 2026 MCP compromises — including a CVSS 9.8 nginx takeover affecting 2,600+ instances — lived entirely outside static analysis reach.
Pico (Dev.to) built a static vulnerability scanner using regex-based pattern matching across 14 signatures in 7 categories — shell injection, path traversal, SSRF, SQL injection, configuration theater, missing authentication, and hardcoded secrets — and scanned 19 of the most popular MCP servers on GitHub. The tool produces a weighted risk score from 0 to 100 and classifies findings as CRITICAL, HIGH, MEDIUM, or LOW. Across all 19 repos, it surfaced 862 findings. After thorough manual triage, the overwhelming majority were false positives: test fixtures, bundled driver internals, and parser-generated code were repeatedly misidentified as production vulnerabilities. Eight repositories scored 100/100; none contained a confirmed CRITICAL issue in runtime code.
A disclosure advisory (GHSA-2gc7-7mj4-79wg) was filed April 6 with no maintainer response; full public disclosure followed after 7 days.
The one verified high-severity issue — a CVSS 8.8 SQL injection in `executeautomation/mcp-database-server` (scored 73) — stemmed from `multipleStatements: true` with only a `startsWith("SELECT")` prefix check as a defense, trivially bypassed with payloads like `SELECT 1; DROP TABLE users; --`. A disclosure advisory (GHSA-2gc7-7mj4-79wg) was filed April 6 with no maintainer response; full public disclosure followed after 7 days. The same root cause was previously reported in the repo's PostgreSQL adapter as CVE-2025-59333 (CVSS 8.1) by Liran Tal. `sooperset/mcp-atlassian` (4,400+ stars) carried four real vulnerabilities: two HIGH-severity SSRFs via unvalidated `icon_url` and attachment URLs, a MEDIUM JQL injection, and a MEDIUM stored XSS — the same server independently hit by MCPwnfluence (CVE-2026-27825/27826).
The article's central argument is that the most dangerous MCP threats of 2026 are invisible to static analysis. MCPwn (CVE-2026-33032, CVSS 9.8) achieved full nginx takeover across 2,600+ instances with just two unauthenticated HTTP requests. MCPwnfluence chained SSRF and file write into unauthenticated RCE. Ox Security's STDIO injection class covered 10+ CVEs, ~200K vulnerable instances, and 150M downloads, spanning transport manipulation and prompt injection vectors. The research frames static scanning as useful for triage but warns that single-maintainer packages bridging AI agents to enterprise infrastructure represent a systemic risk that no regex can detect.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Apr 19, 2026 · 11:33 UTC. How this works →