Disclosures, advisories, and known-malicious MCP packages.
Curated from NVD, vendor advisories, OWASP MCP Top 10, the Vulnerable MCP Project, Koi Security, Cymulate, and OX Security. Updated as new disclosures land.
- criticalMCP2026-05-21
OX Security 'Mother of All AI Supply Chains' — MCP STDIO Design Flaw
Systemic RCE-by-design flaw disclosed by OX Security (May 2026) affecting the MCP STDIO transport across the official TypeScript SDK, Python SDK, and reference server implementations — over 150 M combined downloads. The STDIO interface executes arbitrary subprocess commands witho…
@modelcontextprotocol/sdkmcp@modelcontextprotocol/server-filesystem@modelcontextprotocol/inspector - highMCP2026-05-21
Filesystem MCP Path Traversal & Symlink Attack (Cymulate EscapeRoute)
Cymulate's EscapeRoute research (2025–2026) identified two flaws in the Anthropic Filesystem MCP server: a .startsWith() path-validation bypass enabling directory traversal, and a symlink-race attack allowing arbitrary file read/write including sensitive system files. Affected ve…
@modelcontextprotocol/server-filesystem - highMCPCVE-2025-541362026-05-21
Cursor MCP TOCTOU Persistent RCE (CVE-2025-54136)
Time-of-check/time-of-use flaw in the Cursor editor's MCP config handling lets an attacker silently modify an already-approved MCP config file and achieve persistent remote code execution without triggering a re-approval prompt. Demonstrated via a reverse-shell payload inserted a…
cursor - highMCPCVE-2025-549942026-05-21
@akoskm/create-mcp-server-stdio Command Injection (CVE-2025-54994)
Arbitrary command execution via the package's port-monitoring utility due to unsanitised stdin handling in the MCP STDIO interface. Affected versions unverified — under review; the vulnerability is part of a broader STDIO design-flaw class affecting the MCP ecosystem.
@akoskm/create-mcp-server-stdio - highMCPCVE-2026-226882026-05-21
WeKnora MCP Command Injection (CVE-2026-22688)
Unsanitised stdio_config.command and args parameters in the WeKnora MCP integration allow authenticated users to inject and execute arbitrary OS commands. Affected versions unverified — under review; treat all published versions as potentially vulnerable.
weknora - highMCPCVE-2026-222522026-05-21
LibreChat MCP Command Injection (CVE-2026-22252)
Command injection in LibreChat's MCP stdio transport allows an authenticated user to execute arbitrary shell commands via unsanitised stdio_config.command/args inputs. Affected versions unverified — under review; check the upstream advisory for the patched release tag.
librechat - criticalMCPCVE-2025-495962026-05-21
MCP Inspector Unauthenticated RCE (CVE-2025-49596)
CVSS 9.4 — missing authentication on the MCP Inspector proxy server lets an unauthenticated attacker trigger arbitrary code execution on the developer's machine. Chaining with a browser-level CSRF or open redirect lowers the bar to a single malicious link.
@modelcontextprotocol/inspector - criticalMCP2026-05-21
Postmark MCP Backdoor — BCC Email Exfiltration
First malicious MCP server discovered on npm (disclosed by Koi Security, September 25 2025) that silently BCC-copies outbound emails to an attacker-controlled address. Affected versions unverified — under review; treat all published versions as compromised until the legitimate ma…
postmark-mcp