The CVE Picture Is Cleaner Than You'd Expect
The MCPpedia catalog has 18,855 MCP servers as of today. Against that backdrop, there are 65 open CVEs distributed across 30 distinct servers — 0.16% of the catalog carrying open tracked vulnerabilities.
More importantly: zero open CVEs are rated critical. Zero are rated high. Every unresolved vulnerability in the catalog today sits at medium, low, or unscored.
The fix rate tells the bigger story. Of 2,922 total CVEs tracked across the ecosystem, 2,857 have been resolved. That's not a community ignoring security reports. That's a community that, when CVEs get filed, mostly fixes them.
Where the 65 Open CVEs Sit
The 65 open vulnerabilities by severity:
| Severity | Open Count |
|---|---|
| Critical | 0 |
| High | 0 |
| Medium | 25 |
| Low | 33 |
| Unscored | 7 |
The absence of critical and high open CVEs is meaningful. CVEs at those tiers — remote code execution without authentication, full credential exposure, exploitable without user interaction — have either been patched or marked won't-fix. The ecosystem's worst-known vulnerabilities are not sitting open.
The 25 medium CVEs and 33 low CVEs are real issues, but they sit in the categories where blast radius is constrained: typically requiring local access, authenticated sessions, or specific dependency configurations to exploit.
All 65 open CVEs are concentrated in 30 servers out of 18,855. The remaining 18,825 servers have no open tracked CVEs.
The Denominator That Changes the Story
The formal CVE count looks clean. The behavioral-risk picture is different — and the denominator matters.
MCPpedia's AI-specific checks (tool poisoning, injection risk, code execution) can only run on servers whose tool manifest has been successfully fetched. Of 18,855 active servers, 1,561 (8.3%) have extractable tool definitions today. The remaining 17,294 can't be scanned for behavioral flags because there's no manifest to analyze — most are packages that haven't been probed for a live endpoint, or schemas the bot couldn't parse.
So when you read "182 servers carry code-execution patterns," the honest framing is 182 out of the 1,561 we could actually look at — 11.7%. Not 0.97% of the catalog.
Every prevalence rate in this section uses 1,561 scannable servers as the denominator, not 18,855. Treating the full catalog as the base understates risk by roughly an order of magnitude. The true surface is probably larger — the 17,294 unscanned servers would contribute more flagged entries if they had manifests we could analyze.
Code Execution — 11.7% of Scanned Servers
182 of 1,561 scannable servers carry the has_code_execution flag. Their tool definitions include patterns that allow arbitrary code to run during an agent call — shell commands, eval, subprocess spawning.
Code execution isn't automatically malicious. A filesystem server that runs shell commands, a Python REPL connector, a Docker management tool — these need code execution to function. But an MCP server that executes arbitrary code inside an AI-driven tool call has a fundamentally different threat model than one that's read-only. The question isn't whether code execution is present; it's whether the scope is documented and the surface is intentional.
11.7% of scannable MCP servers can execute code during an agent tool call. The catalog average isn't 1%. It's double digits, in the population where we can actually measure.
Tool Poisoning and Injection Risk
Two narrower, higher-intent categories:
- 19 of 1,561 (1.2%) carry tool-poisoning indicators — tool descriptions that appear to embed model-manipulation instructions, designed to influence what the AI does beyond the stated tool purpose
- 15 of 1,561 (1.0%) have injection-risk patterns in their schemas — inputs that could be shaped by adversarial content to redirect model behavior
Lower prevalence than code execution, but less ambiguous — these patterns are rarely accidental. A server whose tool description tries to manipulate the model is different in kind from a server that legitimately needs to spawn a subprocess.
983 New Servers in Seven Days
The catalog added 983 servers in the last seven days. At that pace, the absolute count of code-execution and injection-risk servers will grow even if the flagging rate stays flat. Each week's arrivals include servers that haven't accumulated issue history, haven't been tested at scale, and often ship with no authentication by default.
The 97.8% CVE fix rate reflects the state of servers that have been in the catalog long enough to be scanned, flagged, and patched. It says nothing about the servers arriving next week.
Three Takeaways
The formal vulnerability picture is better than expected. Zero critical, zero high, and a 97.8% fix rate are real signals. The MCP ecosystem is not ignoring CVE reports.
Behavioral risk is what you should actually worry about. In the 8.3% of the catalog we can fully scan, 11.7% expose code execution and 2.2% carry tool-poisoning or injection-risk patterns. These are mostly invisible to CVE databases — which weren't designed to flag "this tool description embeds model-manipulation text" or "this tool runs code the model can't audit." Before installing any server flagged for code execution, ask: what specific capability requires it, and is that scope clearly documented?
The denominator will keep changing. Right now we can scan 1,561 servers. As the discovery bot fetches more live manifests, that number grows — and so will the absolute flag counts, even if prevalence rates stay flat. At 983 new servers per week, the code-execution and injection-risk tallies next month will be substantially larger than today's.
All figures in this post come from live queries against the MCPpedia database run on 2026-04-18. Behavioral-flag prevalence rates use the 1,561-server scannable population (servers with extractable tool manifests) as the denominator, not the full 18,855-server catalog. Day-over-day trend data is not reported here — a snapshot-bot fix merged on 2026-04-17 makes prior snapshots unreliable for comparison. Individual server security evidence is available on each server's detail page.
MCP Security Weekly
Weekly CVE alerts, new server roundups, and MCP ecosystem insights. Free.
Keep reading
This article was written by AI, powered by Claude and real-time MCPpedia data. All facts and figures are sourced from our database — but AI can make mistakes. If something looks off, let us know.