Ten CVEs Later: Why MCP Developers Keep Making the Same Mistake

Ten CVEs Later: Why MCP Developers Keep Making the Same Mistake The exec() epidemic in the MCP ecosystem — a pattern analysis Six weeks into tracking MCP vulnerabilities, we've documented 23 CVEs across the ecosystem. Ten of them share the same root cause: child_process.exec() called with user-controlled input. Ten different projects. Ten different developers. Ten identical mistakes. The Ten CVE Project Vulnerable function CVE-2026-2178 xcode-mcp-server run_lldb command construction CVE-2026-27203 Various Shell command injection via exec CVE-2026-25546 Godot MCP exec(projectPath) CVE-2025-66401 MCP Watch (security scanner) execSync("git clone " + githubUrl) CVE-2025-68144 mcp-server-git (Anthropic official) git_diff / git_checkout arg injection CVE-2026-26029 sf-mcp-server (Salesforce) child_process.exec with CLI args CVE-2026-0755 Various exec() with file paths CVE-2026-2130 Various exec() with user parameters CVE-2026-2131 Various exec() with user parameters CVE-2026-25650 MCP-Salesf