MCP Observatory
security

Security

Every MCP risk signal in one place — CVEs, tool safety, drift, naming, licenses. Heuristic: review signals, not verdicts.

Risk: servers ranked by their composite exposure score — synthesised from CVEs, inferred permissions, drift, supply-chain and abandonment signals. Heuristic and banded; a high grade is a 'review this' signal, never a verdict.

patchable now2 servers · fix published, not adopted

A fix already ships upstream but the server still runs an older, vulnerable version — remediation lag, actionable today.

  1. @frontmcp/adapters HIGH CVE-2026-39885 1.4.1 → 2.3.0
  2. @frontmcp/sdk HIGH CVE-2026-39885 1.4.1 → 2.3.0
grade all A B C D E
  1. 1 A 0xka13b/microsoft-mcps 14
    • exposure 22
  2. 2 A 10iii/air 14
    • exposure 22
  3. 3 A 171county/modwrench 14
    • exposure 22
  4. 4 A @hovecapital/read-only-mysql-mcp-server 14
    • exposure 12
    • inherited 15
  5. 5 A @openharness/core 14
    • exposure 16
    • inherited 1
  6. 6 A Agonx402/agon-gateway-agentic 14
    • exposure 22
  7. 7 A AishwaryShrivastav/vibe-testing 14
    • exposure 22
  8. 8 A Algiras/debugium 14
    • exposure 22
  9. 9 A Ansvar-Systems/Austrian-law-mcp 14
    • exposure 14
  10. 10 A Ansvar-Systems/Belgium-law-mcp 14
    • exposure 14
  11. 11 A Ansvar-Systems/Bulgarian-law-mcp 14
    • exposure 14
  12. 12 A Ansvar-Systems/Croatian-law-mcp 14
    • exposure 14
  13. 13 A Ansvar-Systems/Estonian-law-mcp 14
    • exposure 14
  14. 14 A Ansvar-Systems/Latvian-law-mcp 14
    • exposure 14
  15. 15 A Ansvar-Systems/Liechtenstein-law-mcp 14
    • exposure 14