Public story · 2026-02-25 · source-backed
Security Analysis
Story
30 MCP CVEs Mapped Into Three Attack Layers — Comprehensive mapping: Layer 1 (Execution, 43%): 13 exec/shell injection CVEs. Layer 2 (Tooling, 20%): 6 CVEs targeting dev infrastructure — MCP Watch (a security scanner!) has command injection in its own repo cloning. Layer 3 (New classes, 14%): eval() and env var injection. 38% of 560 scanned servers have no auth. Your MCP security tools may themselves be vulnerable. (DEV Community / Kai Security)
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Same source / Shared topic / What happened next
MCP Hits 30+ CVEs in 6 Weeks
Both cover CVEs, Kai Security; cite the same source (DEV Community / Kai Security); overlapping topics (attack, class, cves, eval, exec).
MCP CVEs Hit 30 — Attack Surface Expanding to Developers
Both cover CVEs, DEV Community, MCP Watch; cite the same source (DEV Community / Kai Security); overlapping topics (attack, class, command, cves, injection).
MCP Security Hits Critical Mass — 30 CVEs, 80% of Enterprises Report Risky Agent Behaviors
Both cover CVEs, DEV Community; cite the same source (DEV Community / Kai Security); overlapping topics (attack, cves, have, security).
Shared entities / Same source domain / Shared topic
MCP eval() Epidemic Reaches 30+ CVEs
Both cover CVEs, DEV Community, Kai Security; reported by the same outlet (dev.to); overlapping topics (cves, eval, exec).
Shared entities / Same source domain / Shared topic / Tension
Harden MCP Servers Against the eval() Epidemic
Both cover DEV Community, Kai Security; reported by the same outlet (dev.to); overlapping topics (auth, eval, exec).
Shared entity: CVEs / Shared topic / What happened next / Tension
MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth
Both cover CVEs; overlapping topics (auth, cves, have, injection, security); picks up the CVEs thread on 2026-03-23.
The config file is the new attack surface, across every IDE.
Both cover CVEs; overlapping topics (attack, cves, layer); picks up the CVEs thread on 2026-06-26.
Shared entity: DEV Community / Same source / What happened next
Vibe Coding & AI Development
Both cover DEV Community; cite the same source (DEV Community / Kai Security); picks up the DEV Community thread on 2026-03-03.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — 2026-02-25
- AI generated
- no
- Story unit
- 2026-02-25-security-analysis
- Labels
- source-backed, canonical briefing excerpt