Get the FREE Ultimate OpenClaw Setup Guide →

vulnerablemcp

A comprehensive database of Model Context Protocol vulnerabilities, security research, and exploits

Installation
Run this command in your terminal to add the MCP server to Claude Code.
Run in terminal:
View docs
Command
claude mcp add --transport stdio vineethsai-vulnerablemcp node server.js \
  --env PORT="3000" \
  --env NODE_ENV="development"

How to use

The Vulnerable MCP Project is a live repository and exploration surface for Model Context Protocol (MCP) vulnerabilities, security research, and exploits. It provides a Node-based local dev server that serves a static vulnerability database and a documentation site built from data/vulnerabilities.json using a build process. Once running, you can browse the vulnerability catalog, view individual vulnerability entries, and explore metadata such as severity, category, exploitability, and references. The project includes tooling to validate vulnerability entries against the controlled taxonomies and to verify that all referenced links remain live. This makes it useful for researchers, security engineers, and educators to study and demonstrate MCP-related weaknesses in a structured, reproducible way.

How to install

Prerequisites:

  • Node.js and npm installed on your system
  • Access to the project repository (cloned locally)

Installation steps:

  1. Install dependencies
    • Run: npm install
  2. Build the site (optional for development to generate dist/)
    • Run: npm run build
  3. Start the local dev server
    • Run: npm run dev This will start the server on port 3000 and serve the MCP Vulnerable site locally.

If you prefer to run directly with Node without the build step:

  • Ensure dependencies are installed: npm install
  • Start the server: node server.js

Environment variables (optional):

  • PORT: Port to run the server on (default 3000)
  • NODE_ENV: Environment mode (development | production)

Note: The project serves a static site generated from data/vulnerabilities.json via build.js. For development workflows, use npm run dev to start the local server with hot-ish rebuilds.

Additional notes

Tips and caveats:

  • Valid vulnerability entries must conform to data/taxonomy.json; use npm run validate to check entries before building or submitting PRs.
  • Use npm run check-links to verify that all external references remain alive.
  • The build process outputs static HTML into dist/, which is git-ignored; commit changes only to data and templates, not built artifacts.
  • If you modify data/vulnerabilities.json, run npm run validate followed by npm run build to preview changes locally.
  • Ensure you keep the live site URL and author information accurate for trust and attribution.

Related MCP Servers

generative-ui-playground

91

Interact with all three types of generative UI, all in one interface

freepik

29

The Freepik enables popular agent Model Context Protocol (MCP) to integrate with Freepik APIs through function calling.

language

26

MCP server from alexwohletz/language-server-mcp

html-to-markdown

21

MCP server for converting HTML to Markdown using Turndown.js. Fetch web pages and convert them to clean, formatted Markdown.

mcp-doc-forge

17

MCP server that provides doc forge capabilities

mcp -client-spring-ai

12

MCP server from mohamedYoussfi/mcp-server-client-spring-ai

Sponsor this space

Reach thousands of developers