CVE-2026-31040

CRITICAL

stata-mcp <1.13.0 - Command Injection

Title source: llm

Description

A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution.

References (4)

https://github.com/SepineTam/stata-mcp/issues/20

https://github.com/SepineTam/stata-mcp/pull/21

https://github.com/SepineTam/stata-mcp/commit/52413ce

View Patch ZIP pw:eip

https://github.com/SepineTam/stata-mcp/releases/tag/v1.13.0

Scores

CVSS v3 9.8

EPSS 0.0012

EPSS Percentile 31.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

pypi/stata-mcp 0 - 1.13.0PyPI

statamcp/stata-mcp < 1.13.0

Published Apr 08, 2026

Tracked Since Apr 08, 2026