Programming & Development
1
UPVOTE
dev.to

We scanned 50+ MCP servers and found HIGH-severity bugs in Atlassian, GitHub, Cloudflare, and Microsoft — here's what we learned

MCPSafe (mcpsafe.io) runs automated security scans of Model Context Protocol (MCP) server repositories using a five-model LLM judge panel and a purpose-built scoring rubric called AIVSS (AI Vulnerability Severity Score). Over the past three months, we've scanned 50+ MCP servers across GitHub, npm, and PyPI — and the results are sobering. TL;DR: the majority receive a grade of D or lower. The most common critical vulnerability is indirect prompt injection: servers that fetch Jira tickets, GitHub issues, Confluence pages, or web content and return it verbatim to the LLM, with no mechanism to distinguish attacker-controlled data from trusted instructions. Here's what we found — and what server authors need to fix. What is MCPSafe? MCPSafe (mcpsafe.io) is an automated security analysis platform for MCP server repositories. You paste a GitHub URL, npm package, or PyPI package and get back a graded security report in ~45 seconds — scored across 6 threat vectors with a

David König

David König

1d ago
1 0

Discussion

Jump in and comment!

Get the ball rolling with your comment!

No comments yet.

Be the first to share your take and keep the conversation moving.

Join the conversation

Log in or sign up to add your comment and participate in the discussion!

Log In Sign Up

UPVOTERS

Community appreciation

See who found this content valuable and showed their support.

anna_theodorou873

Anna Theodorou

Anna TheodorouUpvoted 1d ago1 comments · 58 shares

TOPICS

Explore the same topics

Discover more content from the topics this post is mapped to.

tmctmt.com
Mullvad exit IPs are surprisingly identifying

Comments
Anna Theodorou

Anna Theodorou

3h ago
0
dev.to
Smart Routing, Transfer Family Ingestion, and Voice Chat — Perm…

What This Post Covers This is a companion article to the FSx for ONTAP S3 Access Points Serverless Patterns series. While that series focuses on serverless …
David König

David König

4h ago
0
dev.to
AI 週報 — 2026-05-08 to 2026-05-15 | OpenAI 做顧問、Anthropic 做生態,模型公…

本週一句話:OpenAI 正在變成一家顧問公司,Anthropic 正在變成一家平台公司— —兩者都不約同時放棄了「模型即產品」的故事。 模型公司集體轉向:從 API 銷售到制度性資源 140 億美元— —這是 OpenAI 對其新建「Deployment Company」的估值,聲稱…
DC

DEV Community

5h ago
0
dev.to
How to Send Auth Codes via WhatsApp in Your App With Kinde

Your users are in San Francisco, Jakarta, São Paulo, and Sydney. They have WhatsApp open all day. They check it before they check their SMS inbox. When your ap…
David König

David König

6h ago
0
arkadiyt.com
Removing the Modem and GPS from My 2024 RAV4 Hybrid

Comments
HN

Hacker News

13h ago
0
dev.to
Building a DPI-Resistant VPN with VLESS REALITY & Nginx (Open S…

tags: opensource, security, python, bash If you live in a region with strict internet censorship (like China, Iran, or Russia), you probably know that the gol…
DC

DEV Community

14h ago
0

Keep browsing

Explore more from this topic

Dive into the full feed of curated posts covering Programming & Development.

Browse Topics

RELATED CONTENT

Continue exploring

Discover more content that aligns with your interests and this post.


Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'what we learned', '%') THEN 4 WHEN SUBSTRING_INDEX(cont...' at line 24 in /data/c/9/c9112b04-975e-4759-b3de-bc4061bd2afe/upvote.link/public_html/content.php:3142 Stack trace: #0 /data/c/9/c9112b04-975e-4759-b3de-bc4061bd2afe/upvote.link/public_html/content.php(3142): mysqli->prepare('\n ...') #1 {main} thrown in /data/c/9/c9112b04-975e-4759-b3de-bc4061bd2afe/upvote.link/public_html/content.php on line 3142