MCP Security by the Numbers: 30+ CVEs in a 60-Day Window, ~43% Command Injection
Practical DevSecOps·medium signal
Aggregated 2026 tracking (Vulnerable MCP Project; Practical DevSecOps) shows 30+ CVEs filed against MCP servers in a single early-2026 60-day window, roughly 43% of them command-injection patterns, with exposed-listener and SSRF classes close behind. The takeaway for anyone shipping MCP servers: the ecosystem's attack surface is now well-catalogued, so pre-ship threat modeling against these known classes is table stakes.