We've spent Q1 2026 auditing MCP servers. We scanned 19 popular repos, did deep manual reviews on 6, and filed security advisories against 3 of them. This is what we found — and what it tells us about how MCP security fails. The short version: MCP servers are being built by developers who understand databases and APIs, but who haven't modeled what happens when an AI agent connects to their server and sends unexpected inputs. The result is a class of vulnerabilities that's remarkably consistent across codebases. What We Audited We ran a static analysis scanner against 19 MCP servers ranked by GitHub stars and MCP registry installs. The scan covered SQL injection patterns, shell injection, SSRF, hardcoded credentials, and path traversal. Score threshold for deep review: 50/100. For immediate triage: 70/100 with critical findings.…