VulnerableMCP — MCP security database for real-world tool flaws

AI relevance: MCP servers are the tool layer for LLM agents, so a centralized vulnerability database directly maps to real-world risk in agent deployments.

• VulnerableMCP publishes a rolling catalog of MCP-related issues with impact, exploitability, and prevalence tags.
• The database pulls in entries from CVE feeds, advisories, and security research, not just vendor blogs.
• Recent examples listed include cross-client response leakage in the MCP TypeScript SDK and unauthenticated RCE via exposed MCP servers.
• Each entry calls out attack class (prompt injection, command injection, SSRF, DNS rebinding) to help triage by threat model.
• Entries explicitly note data exfiltration, credential theft, or tool abuse impacts where relevant.
• The project acts as a shared memory for MCP supply-chain and tool-layer risks across vendors.

Why it matters

• Agent platforms often reuse MCP servers across teams; a single vulnerable tool can become a fleet-wide blind spot.
• Security teams need a single source of truth to map agent tooling risks to concrete mitigations.
• Consolidated issue tracking improves patch prioritization and reduces reliance on scattered blog posts.

What to do

• Inventory: Compare your installed MCP servers/skills against VulnerableMCP’s database.
• Gate installs: Require review for MCP packages with command execution, network fetch, or filesystem access.
• Harden defaults: Disable 0.0.0.0 bindings, enforce auth, and restrict tool permissions by default.

Sources

• VulnerableMCP database
• VulnerableMCP GitHub repository
• CVE feed example (MCP SDK cross-client leak)
• GitLab advisory example (MCPJam inspector RCE)