From path traversal to supply chain compromise: breaking MCP server hosting

We found a path traversal vulnerability in Smithery.ai that compromised over 3,000 MCP servers and exposed thousands of API ...