Public story · 2026-03-03 · source-backed
MCP CVEs Hit 30 — Attack Surface Expanding to Developers
Story
Two new attack classes emerged: Anthropic's own official Git MCP server has three CVEs (CVE-2025-68143/44/45) enabling RCE via prompt injection. MCP Watch, a security scanner designed to audit MCP servers, itself contains a command injection (CVE-2025-66401). MCPJam Inspector exposes an unauthenticated HTTP endpoint on 0.0.0.0 that can install arbitrary MCP servers. The attack surface is now expanding from end-users to the developers building MCP infrastructure. DEV Community
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / What happened next / Tension
MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth
Both cover Anthropic, CVE, CVEs, HTTP; overlapping topics (cves, injection, server); picks up the Anthropic thread on 2026-03-23.
Shared entities / Same source domain / Shared topic / Earlier coverage
MCP eval() Epidemic Reaches 30+ CVEs
Both cover Anthropic, CVEs, DEV Community, Git MCP; reported by the same outlet (dev.to); overlapping topics (anthropic, audit, cves, server).
Shared entities / Shared topic / What happened next
MCP security debt hits critical mass: three CVEs in one month, 7,000+ exposed servers.
Both cover Anthropic, CVEs, MCP, RCE; overlapping topics (anthropic, audit, command, cves, injection); picks up the Anthropic thread on 2026-05-11.
MCP STDIO transport enables arbitrary command execution across 11 CVEs, 7,000+ servers, 150M+ package downloads.
Both cover Anthropic, CVE, CVEs, MCP; overlapping topics (anthropic, arbitrary, audit, command, cves); picks up the Anthropic thread on 2026-04-30.
Shared entities / Same source / Shared topic / Earlier coverage
Security Analysis
Both cover CVEs, DEV Community, MCP Watch; cite the same source (DEV Community); overlapping topics (attack, class, command, cves, injection).
Shared entities / Shared topic / What happened next
The Agent Security Crisis Is Here: 36% of ClawHub Skills Malicious, 30+ MCP CVEs, RCE in Microsoft Agent Framework
Both cover CVE, CVEs, MCP, RCE; overlapping topics (attack, audit, cves); picks up the CVE thread on 2026-03-05.
Shared entities / Shared topic / Earlier coverage
Bitdefender Quantifies MCP Security Crisis: 53% Static Credentials, 8.5% OAuth
Both cover CVE, CVEs, MCP, RCE; overlapping topics (attack, audit, server); earlier CVE coverage from 2026-02-22.
Shared entities / Shared topic / What happened next
LiteLLM discloses command injection via Anthropic's MCP SDK STDIO transport.
Both cover Anthropic, CVE, MCP; overlapping topics (anthropic, arbitrary, audit, command, injection); picks up the Anthropic thread on 2026-05-11.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — 2026-03-03
- AI generated
- no
- Story unit
- 2026-03-03-mcp-cves-hit-30-attack-surface-expanding-to-developers
- Labels
- source-backed, canonical briefing excerpt