Bug hunter tracks down three massive MCP flaws and one vendor won't fix theirs

**Executive summary:** The report describes three serious MCP server vulnerabilities—an SQL injection in Apache Doris (patched, CVE-2025-66335), an authentication-bypass/SQL-injection exposure in Apache Pinot integrations (allowing unauthenticated query execution and possible full takeover), and an unauthenticated metadata-exposure flaw in Alibaba RDS MCP (unpatched after vendor refusal)—highlighting systemic gaps in MCP server authentication and query validation that could enable database takeover or metadata exfiltration.