We scanned 14,762 MCP servers across six registries. 37% run with known CVEs in their production dependencies. The official MCP SDK is the single largest source.
1 in 3
MCPs run a CVE-laden dep
More coming.