Back to MCP Trust Indexm8ven
70
/ 100
20 days ago
glama

plex-mcp

Lets MCP clients browse and search your Plex media libraries.

CarlDog/plex-mcp· listed on glama
Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

Glama

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
⚠️
Known vulnerabilities in dependencies: 2 high
Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.
No credential exfiltration, no sensitive file access, no obfuscation
Static analysis found nothing flowing your secrets to unexpected places.
🔐
You'll be asked for 1 credential: PLEX_TOKEN
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// known CVEs in dependencies2 high

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

high@modelcontextprotocol/sdk@1.0.0GHSA-8r9q-7v3j-jr4g

Anthropic's MCP TypeScript SDK has a ReDoS vulnerability

high@modelcontextprotocol/sdk@1.0.0GHSA-w48q-cv73-mx4w

Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default

Depend on this server? Get alerted when its CVEs change.Watch this server free →
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
configLOG_LEVELConfigure verbosity via the env var (default info):
configMCP_IMAGE_MAX_BYTES
configMCP_IMAGE_SAVE_DIR
configMCP_PORTstdio (default) Direct invocation by Claude Desktop / MCP clients docker run -i --rm ... plex-mcp (no )
configMCP_TLSauto. The server generates an ECDSA P-256 self-signed
configMCP_TLS_CERT_FILE1. Bring-your-own cert — set both and
configMCP_TLS_CNfirst DNS SAN, else plex-mcp Certificate common name.
configMCP_TLS_DAYS365 Validity period. Cert rotates when <30 days remain.
configMCP_TLS_DIRcert on first start, writes it to (default
configMCP_TLS_KEY_FILEto PEM file paths. Use this when terminating
configMCP_TLS_SANDNS:localhost,IP:127.0.0.1 Subject Alternative Names. Comma-separated DNS: / IP: entries.
🔐 secretPLEX_TOKEN(see below) Plex auth token
configPLEX_URLe =http://192.168.1.50:32400 \
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 5 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/carldog-plex-mcp-fvq0wc)](https://m8ven.ai/mcp/carldog-plex-mcp-fvq0wc)
commit: fcceedcb5a2ccde0eef68a4730dae36de7c77aca
code hash: b812d59aa4cc914988c938d4a4ac40067c77880362bf9640e2a761ab08ac5f0d
verified: 6/9/2026, 11:43:12 AM
view raw JSON →