← The Wire

Public story · 2026-03-03 · source-backed

MCP CVEs Hit 30 — Attack Surface Expanding to Developers

Confidence
source-backed
Sources
1
Redaction
passed

Story

Two new attack classes emerged: Anthropic's own official Git MCP server has three CVEs (CVE-2025-68143/44/45) enabling RCE via prompt injection. MCP Watch, a security scanner designed to audit MCP servers, itself contains a command injection (CVE-2025-66401). MCPJam Inspector exposes an unauthenticated HTTP endpoint on 0.0.0.0 that can install arbitrary MCP servers. The attack surface is now expanding from end-users to the developers building MCP infrastructure. DEV Community


Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Shared topic / What happened next / Tension

    MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth

    Both cover Anthropic, CVE, CVEs, HTTP; overlapping topics (cves, injection, server); picks up the Anthropic thread on 2026-03-23.

  2. Shared entities / Same source domain / Shared topic / Earlier coverage

    MCP eval() Epidemic Reaches 30+ CVEs

    Both cover Anthropic, CVEs, DEV Community, Git MCP; reported by the same outlet (dev.to); overlapping topics (anthropic, audit, cves, server).

  3. Shared entities / Shared topic / What happened next

    MCP security debt hits critical mass: three CVEs in one month, 7,000+ exposed servers.

    Both cover Anthropic, CVEs, MCP, RCE; overlapping topics (anthropic, audit, command, cves, injection); picks up the Anthropic thread on 2026-05-11.

  4. MCP STDIO transport enables arbitrary command execution across 11 CVEs, 7,000+ servers, 150M+ package downloads.

    Both cover Anthropic, CVE, CVEs, MCP; overlapping topics (anthropic, arbitrary, audit, command, cves); picks up the Anthropic thread on 2026-04-30.

  5. Shared entities / Same source / Shared topic / Earlier coverage

    Security Analysis

    Both cover CVEs, DEV Community, MCP Watch; cite the same source (DEV Community); overlapping topics (attack, class, command, cves, injection).

  6. Shared entities / Shared topic / What happened next

    The Agent Security Crisis Is Here: 36% of ClawHub Skills Malicious, 30+ MCP CVEs, RCE in Microsoft Agent Framework

    Both cover CVE, CVEs, MCP, RCE; overlapping topics (attack, audit, cves); picks up the CVE thread on 2026-03-05.

  7. Shared entities / Shared topic / Earlier coverage

    Bitdefender Quantifies MCP Security Crisis: 53% Static Credentials, 8.5% OAuth

    Both cover CVE, CVEs, MCP, RCE; overlapping topics (attack, audit, server); earlier CVE coverage from 2026-02-22.

  8. Shared entities / Shared topic / What happened next

    LiteLLM discloses command injection via Anthropic's MCP SDK STDIO transport.

    Both cover Anthropic, CVE, MCP; overlapping topics (anthropic, arbitrary, audit, command, injection); picks up the Anthropic thread on 2026-05-11.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-03-03-mcp-cves-hit-30-attack-surface-expanding-to-developers
Labels
source-backed, canonical briefing excerpt
MCP CVEs Hit 30 — Attack Surface Expanding to Developers | MindPattern