Skillget

mcp-cve-project

mcp
Security Audit
Warn
Health Warn
  • No license — Repository has no license file
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Low visibility — Only 5 GitHub stars
Code Warn
  • Code scan incomplete — No supported source files were scanned during light audit
Permissions Pass
  • Permissions — No dangerous permissions requested

No AI report is available for this listing yet.

SUMMARY

The Project shares all information on MCP related CVE's published

README.md

MCP-related CVE reference

This repository is a curated index of publicly disclosed Common Vulnerabilities and Exposures (CVEs) that touch the Model Context Protocol (MCP) ecosystem: official and third-party servers, SDKs, gateways, clients, and integrations where MCP is part of the attack surface or fix scope. Each linked note under cves/ summarizes the affected component, weakness class, and pointers for defenders and maintainers.

Coverage: 111 indexed CVEs (indexed below, newest first by disclosure-related date).

CVE Breakdown

2026

S.No Date CVE Affected product
1 2026‑05‑12 CVE‑2026‑5029 Code Runner MCP Server unauthenticated RCE
2 2026‑05‑12 CVE‑2026‑43992 JunoClaw MCP write-tool mnemonic exposure
3 2026‑05‑12 CVE‑2026‑42260 Open-WebSearch MCP SSRF
4 2026‑05‑11 CVE‑2026‑45001 OpenClaw config guard bypass affecting MCP server configuration
5 2026‑05‑11 CVE‑2026‑44998 OpenClaw bundled MCP/LSP tool policy bypass
6 2026‑05‑11 CVE‑2026‑44995 OpenClaw MCP stdio environment-variable code execution
7 2026‑05‑11 CVE‑2026‑43901 Wireshark MCP path/export object issue
8 2026‑05‑08 CVE‑2026‑44694 n8n-mcp authenticated SSRF
9 2026‑05‑08 CVE‑2026‑42282 n8n-mcp sensitive tool-call arguments logged
10 2026‑05‑08 CVE‑2026‑41495 n8n-mcp sensitive request data logged
11 2026‑05‑07 CVE‑2026‑42449 n8n-mcp IPv4-mapped IPv6 SSRF bypass
12 2026‑05‑05 CVE‑2026‑35228 Oracle MCP Server Helper Tool (SQL injection)
13 2026‑05‑04 CVE‑2026‑7730 privsim/mcp-test-runner command injection
14 2026‑05‑04 CVE‑2026‑42236 n8n (MCP OAuth client registration DoS)
15 2026‑05‑04 CVE‑2026‑42230 n8n (MCP OAuth open redirect)
16 2026‑05‑01 CVE‑2026‑7591 astro-mcp-server SQL injection
17 2026‑04‑23 CVE‑2026‑40933 Flowise (MCP adapter command injection via unsafe stdio serialization)
18 2026‑04‑23 CVE‑2026‑30623 LiteLLM (authenticated RCE via MCP stdio server creation)
19 2026‑04‑20 CVE‑2025‑66335 Apache Doris MCP Server (doris-mcp-server; SQL injection)
20 2026‑04‑16 CVE‑2026‑39313 mcp-framework
21 2026‑04‑15 CVE‑2026‑33224 Bisheng (authenticated RCE via MCP stdio server configuration)
22 2026‑04‑15 CVE‑2026‑30625 Upsonic (unauthenticated RCE via MCP server/task creation)
23 2026‑04‑15 CVE‑2026‑30624 Agent Zero (RCE via external MCP stdio JSON configuration)
24 2026‑04‑15 CVE‑2026‑30618 Fay Digital Human Framework (unauthenticated RCE via MCP adapter stdio)
25 2026‑04‑15 CVE‑2026‑30617 LangChain-ChatChat (unauthenticated RCE via MCP STDIO server configuration)
26 2026‑04‑15 CVE‑2026‑30616 Jaaz (RCE via MCP STDIO handling when network-exposed)
27 2026‑04‑15 CVE‑2026‑30615 Windsurf (prompt injection → unauthorized MCP stdio registration / local RCE)
28 2026‑04‑15 CVE‑2026‑26015 DocsGPT (RCE via tampered MCP transport to hidden stdio configuration)
29 2026‑04‑15 CVE‑2026‑22688 WeKnora (untrusted MCP stdio input; cross-referenced in OX advisory)
30 2026‑04‑15 CVE‑2026‑22252 LibreChat (untrusted MCP stdio input; cross-referenced in OX advisory)
31 2026‑04‑14 CVE‑2026‑39884 mcp-server-kubernetes (port_forward argument injection)
32 2026‑04‑13 CVE‑2026‑27826 MCP Atlassian (mcp-atlassian) (SSRF via unvalidated URL headers)
33 2026‑04‑12 CVE‑2026‑40576 excel-mcp-server (path traversal in remote file handlers)
34 2026‑04‑10 CVE‑2026‑5059 aws-mcp / aws-mcp-server (command injection)
35 2026‑04‑10 CVE‑2026‑5058 aws-mcp / aws-mcp-server (unauthenticated command injection)
36 2026‑04‑10 CVE‑2026‑40159 PraisonAI MCP integration
37 2026‑04‑09 CVE‑2026‑39974 n8n-mcp (authenticated SSRF in multi-tenant HTTP mode)
38 2026‑04‑08 CVE‑2026‑39885 FrontMCP / mcp-from-openapi (OpenAPI $ref SSRF)
39 2026‑04‑07 CVE‑2026‑35568 MCP Java SDK (io.modelcontextprotocol.sdk)
40 2026‑04‑07 CVE‑2026‑34200 Nhost CLI MCP server (authentication bypass when network-exposed)
41 2026‑04‑03 CVE‑2026‑27124 FastMCP (PrefectHQ/fastmcp) (OAuth consent verification bypass / confused deputy)
42 2026‑04‑02 CVE‑2026‑34742 MCP Go SDK (github.com/modelcontextprotocol/go-sdk)
43 2026‑04‑02 CVE‑2026‑32871 FastMCP OpenAPI Provider (SSRF + path traversal via unencoded path params)
44 2026‑03‑31 CVE‑2026‑34237 MCP Java SDK (io.modelcontextprotocol.sdk) (wildcard CORS)
45 2026‑03‑30 CVE‑2026‑33032 nginx-ui MCP integration
46 2026‑03‑29 CVE‑2026‑5023 codebase-mcp (OS command injection)
47 2026‑03‑28 CVE‑2026‑5007 mcp-docs-rag (OS command injection)
48 2026‑03‑27 CVE‑2026‑33980 Azure Data Explorer MCP Server (KQL injection)
49 2026‑03‑27 CVE‑2026‑33946 MCP Ruby SDK SSE stream hijacking
50 2026‑03‑27 CVE‑2026‑31951 LibreChat malicious MCP server OAuth token exfiltration
51 2026‑03‑23 CVE‑2026‑33252 MCP Go SDK (HTTP transport cross-site tool execution / CSRF class)
52 2026‑03‑16 CVE‑2026‑4270 AWS API MCP Server (awslabs/mcp; pip ≥0.2.14 before 1.3.9workdir / no-access path bypass; fixed 1.3.9)
53 2026‑03‑13 CVE‑2026‑31944 LibreChat (MCP OAuth callback account takeover)
54 2026‑03‑13 CVE‑2026‑26118 Azure MCP Server (azure.mcp) (SSRF)
55 2026‑03‑10 CVE‑2026‑27825 MCP Atlassian (mcp-atlassian) (arbitrary file write / RCE)
56 2026‑02‑26 CVE‑2026‑27896 MCP Go SDK (case-sensitivity / JSON-RPC parsing inconsistency)
57 2026‑02‑25 CVE‑2026‑27735 mcp-server-git (git_add path traversal; stage files outside repo)
58 2026‑02‑08 CVE‑2026‑2178 xcode-mcp-server (command injection)
59 2026‑02‑06 CVE‑2026‑25650 MCP Salesforce Connector (MCP-Salesforce / mcp-salesforce-connector) (auth token disclosure)
60 2026‑02‑04 CVE‑2026‑25536 MCP TypeScript SDK (cross-client data leak via shared server/transport reuse)
61 2026‑01‑22 CVE‑2026‑0756 github-kanban-mcp-server (unauthenticated RCE / command injection)
62 2026‑01‑21 CVE‑2026‑22792 5ire Desktop MCP client (unsafe HTML rendering → arbitrary JS execution)
63 2026‑01‑21 CVE‑2026‑21852 Claude Code pre-trust API key exfiltration in MCP-related config flow
64 2026‑01‑16 CVE‑2026‑23744 MCPJam Inspector (unauthenticated RCE via exposed listener)
65 2026‑01‑12 CVE‑2025‑66689 Zen MCP Server (path traversal)
66 2026‑01‑09 CVE‑2026‑0755 gemini-mcp-tool (command injection via unsafe shell execution)
67 2026‑01‑07 CVE‑2025‑9611 @playwright/mcp / Microsoft Playwright MCP Server (DNS rebinding; missing Origin validation)
68 2026‑01‑07 CVE‑2025‑67366 @sylphxltd/filesystem-mcp (path traversal / symlink bypass)
69 2026‑01‑05 CVE‑2026‑0621 MCP TypeScript SDK (UriTemplate ReDoS)

2025

S.No Date CVE Affected product
1 2026‑05‑12 CVE‑2025‑69443 Archon (coleam00) UI takeover / RCE and credential theft (crafted HTML)
2 2026‑05‑12 CVE‑2025‑65719 kubectl-mcp-server arbitrary code execution
3 2026‑04‑15 CVE‑2025‑65720 GPT Researcher (unauthenticated RCE via malicious MCP stdio configuration)
4 2025‑12‑30 CVE‑2025‑69256 @serverless/mcp (command injection in Serverless Framework MCP feature)
5 2025‑12‑17 CVE‑2025‑68145 mcp-server-git (repository boundary bypass via --repository)
6 2025‑12‑17 CVE‑2025‑68144 mcp-server-git (argument injection in git operations)
7 2025‑12‑17 CVE‑2025‑68143 mcp-server-git (git_init arbitrary path)
8 2025‑12‑09 CVE‑2025‑65513 fetch-mcp SSRF (private IP validation bypass)
9 2025‑12‑03 CVE‑2025‑66404 mcp-server-kubernetes (exec_in_pod command injection)
10 2025‑12‑03 CVE‑2025‑64443 Docker MCP Gateway
11 2025‑12‑03 CVE‑2025‑20381 Splunk MCP Server app
12 2025‑12‑02 CVE‑2025‑66416 MCP Python SDK (mcp)
13 2025‑12‑02 CVE‑2025‑66414 MCP TypeScript SDK (@modelcontextprotocol/sdk)
14 2025‑12‑01 CVE‑2025‑66401 mcp-watch (command injection via cloneRepo URL)
15 2025‑11‑18 CVE‑2025‑63604 mcp-server-aws-resources-python (code injection / AWS credential exposure)
16 2025‑11‑18 CVE‑2025‑63603 MCP Data Science Server (reading-plus-ai/mcp-server-data-exploration) (unsafe exec / code execution)
17 2025‑11‑18 CVE‑2025‑59944 Cursor MCP config overwrite / case-sensitivity bypass
18 2025‑11‑15 CVE‑2025‑61260 OpenAI Codex CLI malicious MCP config code execution
19 2025‑10‑29 CVE‑2025‑64132 Jenkins MCP Server Plugin (missing permission checks in multiple tools)
20 2025‑10‑20 CVE‑2025‑6515 oatpp-mcp (predictable MCP SSE session IDs; session / prompt hijacking)
21 2025‑10‑12 CVE‑2025‑59163 SafeDep vet MCP server DNS rebinding
22 2025‑10‑08 CVE‑2025‑53967 Framelink Figma MCP Server RCE
23 2025‑10‑03 CVE‑2025‑59536 Claude Code MCP consent/config bypass
24 2025‑09‑24 CVE‑2025‑59834 adb-mcp (command injection in ADB MCP Server)
25 2025‑09‑22 CVE‑2025‑59528 Flowise CustomMCP node
26 2025‑09‑16 CVE‑2025‑59333 @executeautomation/database-server (read-only mode bypass)
27 2025‑09‑08 CVE‑2025‑58444 MCP Inspector (@modelcontextprotocol/inspector) (XSS via untrusted redirect URL)
28 2025‑09‑08 CVE‑2025‑54994 @akoskm/create-mcp-server-stdio (which-app-on-port command injection via unsafe exec; also cited in OX supply-chain advisory)
29 2025‑08‑02 CVE‑2025‑54136 Cursor (trusted MCP config swap / persistent RCE via repo or local write; fixed 1.3)
30 2025‑07‑21 CVE‑2025‑53832 @translated/lara-mcp / Lara Translate MCP Server (command injection via child_process.exec)
31 2025‑07‑18 CVE‑2025‑54073 mcp-package-docs
32 2025‑07‑14 CVE‑2025‑53818 GitHub Kanban MCP Server (command injection via gh invocation)
33 2025‑07‑09 CVE‑2025‑6514 mcp-remote command injection
34 2025‑07‑08 CVE‑2025‑53372 node-code-sandbox-mcp
35 2025‑07‑08 CVE‑2025‑53355 mcp-server-kubernetes
36 2025‑07‑04 CVE‑2025‑53365 MCP Python SDK (mcp) (DoS via unhandled exception in Streamable HTTP transport)
37 2025‑07‑02 CVE‑2025‑53110 Filesystem MCP Server (@modelcontextprotocol/server-filesystem) (prefix/path collision bypass)
38 2025‑07‑02 CVE‑2025‑53109 Filesystem MCP Server (@modelcontextprotocol/server-filesystem) (symlink containment bypass)
39 2025‑07‑02 CVE‑2025‑34072 @modelcontextprotocol/server-slack (Slack link-unfurl data exfiltration)
40 2025‑07‑01 CVE‑2025‑53107 @cyanheads/git-mcp-server
41 2025‑06‑13 CVE‑2025‑49596 MCP Inspector (@modelcontextprotocol/inspector)
42 2025‑05‑12 CVE‑2025‑47274 Stacklok ToolHive

CVE Information schema (template)

Field Value
CVE / NVD CVE-YYYY-NNNNN
Date (index) YYYY-MM-DD
Affected product (index)
GHSA ID
GHSA category <short label or N/A>
Published / disclosed YYYY-MM-DD
Ecosystem <e.g. npm, PyPI — or omit row>
Component <specific component — or omit row>
EPSS score
CVSS score <score + version — or omit row>
CWE CWE-…
Affected versions
Fixed versions
Fix status <Patched / Unfixed / unknown / …>
Exploit status <Public advisory / PoC / …>
Notes <optional — or omit row>

Contribution Rules for This Section

Use these rules in your repository contribution guide:

A vulnerability entry must include:
- CVE ID and GHSA ID, if available.
- Affected component and version.
- Fixed version or mitigation.
- Severity and source.
- Root cause category.
- Exploit / PoC safety label.
- At least one official reference.
- Defensive notes.

Do not submit:
- Unverified rumors as confirmed CVEs.
- Working exploit payloads in the README.
- Duplicate advisories without linking aliases.
- Vulnerabilities that merely mention “MCP” but have no MCP security relevance.

Reviews (0)

No results found