Vibe Coding
MCP Attack Surface Triples: 1,467 Exposed Servers, NGINX CVE-2026-33032 Scores 9.8
Trend Micro reports exposed MCP servers have nearly tripled to 1,467, with critical vulnerabilities including CVE-2026-33032 (CVSS 9.8) in nginx-ui MCP endpoints allowing unauthenticated full system takeover, SQL injection in Apache Doris MCP (CVE-2025-66335), and Alibaba RDS MCP metadata exfiltration that Alibaba declined to patch. OX Security found systemic RCE vulnerabilities across the MCP supply chain affecting an estimated 150 million package downloads. Anyone running MCP servers — including Claude Code users with custom servers — should audit their exposure immediately.
Source
↳ Follow the thread