The most comprehensive, up-to-date, practitioner-first security reference for LLM applications and Model Context Protocol (MCP) deployments.
Covers real CVEs, live attack patterns, OWASP frameworks, red teaming tools, and actionable checklists — updated weekly.
The AI security landscape shifted dramatically in 2025–2026:
- 🔴 492 MCP servers publicly exposed with no authentication (Trend Micro, 2026)
- 🔴 CVE-2025-6514 compromised 437,000+ developer environments via mcp-remote OAuth proxy
- 🔴 1,184 malicious skills confirmed across the ClawHub agent registry (Antiy CERT, 2026)
- 🔴 Claude Code RCE vulnerability (CVE-2025-59536, CVSS 8.7) — triggered by opening a repo
- 🔴 OWASP released 2 new frameworks: LLM Top 10 (2025) + Agentic Top 10 / ASI (Dec 2025)
Most tutorials show you how to build with MCP and LLMs. Almost none show you how to secure them. This is that guide.
- LLM01: Prompt Injection
- LLM02: Insecure Output Handling
- LLM03: Training Data Poisoning
- LLM04: Model Denial of Service
- LLM05: Supply Chain Vulnerabilities
- LLM06: Sensitive Information Disclosure
- LLM07: Insecure Plugin Design
- LLM08: Excessive Agency
- LLM09: Overreliance
- LLM10: Model Theft
- MCP Attack Surface Overview
- MCP01: Token Mismanagement
- MCP02: Tool Poisoning
- MCP03: Prompt Injection via MCP
- MCP04: Confused Deputy Attacks
- MCP05: Supply Chain Attacks
- MCP06: Context Poisoning
- MCP07: OAuth Misconfiguration
- MCP08: SSRF via Fetch Servers
- MCP09: Scope Creep
- MCP10: Insecure Transport
- Real CVE Database
- ASI01: Agent Goal Hijack
- ASI02: Tool Misuse
- ASI03: Identity & Privilege Abuse
- ASI04–ASI10: Full Coverage
| CVE | CVSS | Component | Impact |
|---|---|---|---|
| CVE-2025-6514 | CRITICAL | mcp-remote (558k+ downloads) | RCE, 437k+ environments compromised |
| CVE-2025-59536 | 8.7 | Claude Code | RCE via .claude/settings.json Hook injection |
| CVE-2026-21852 | 5.3 | Claude Code | API key theft via request redirection |
| CVE-2026-28363 | 9.9 | OpenClaw | Localhost WebSocket hijack → data exfiltration |
| CVE-2025-65513 | 9.3 | mcp-fetch-server | SSRF → internal network access |
| CVE-2025-68145/43/44 | HIGH | mcp-server-git | Path bypass + RCE chain |
Live tracker: vulnerablemcp.info
| Framework | Scope | Released |
|---|---|---|
| OWASP LLM Top 10 (2025) | LLM application risks | Nov 2024 |
| OWASP Agentic Top 10 (ASI 2026) | Autonomous agent risks | Dec 2025 |
| OWASP MCP Top 10 | MCP protocol risks | 2025 (Beta) |
| OWASP Agentic Skills Top 10 | Agent skill/plugin risks | Q1 2026 |
| MITRE ATLAS | Adversarial ML tactics | Ongoing |
| NIST AI RMF | Governance framework | 2023 |
| Tool | Best for |
|---|---|
| DeepTeam | 50+ vulnerabilities, OWASP/NIST/MITRE frameworks |
| promptfoo | CI/CD integration, OWASP plugin mapping |
| Garak | 100+ automated vulnerability probes |
| PyRIT | Microsoft's orchestration framework |
| agent-scan | MCP server + agent skill scanner |
Contributions are welcome. See CONTRIBUTING.md.
- Found a new CVE? Open an issue.
- Better mitigation code? Submit a PR.
- New attack pattern? Document it.
CC BY 4.0 — Free to use, share, and build on with attribution.
⭐ Star this repo if it helped you secure something. It helps others find it.