MCP Security Advisories
Maintained by Michael K Onyekwere
Auto-published when monitored MCP packages change risk level. Detected via real-time npm registry monitoring.
Correction in effect: May 16, 2026 mitigator pass
The scanner shipped a precision pass on 2026-05-16 targeting a self-detected false-positive class in browser/CLI/terminal MCP packages. Advisories below published before that pass on the affected class remain visible at their original severity. The live/report/<package>page will reflect the corrected severity once the monitor cron rescans that package (oldest-first cycle, completes across the full backlog over roughly three to four days from 2026-05-16). Until then, the cached scan-history value on the report page may still show the pre-mitigator severity. We do not silently rewrite the public record.