CVE-2026-4593

MEDIUM

erupts erupt MCP Tool EruptDataQuery.java EruptDataQuery sql injection

Title source: cna

Description

A flaw has been found in erupts erupt bis 1.13.3. Affected by this vulnerability is the function EruptDataQuery of the file erupt-ai/src/main/java/xyz/erupt/ai/call/impl/EruptDataQuery.java of the component MCP Tool Interface. This manipulation causes sql injection hibernate. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-352430 | erupts erupt MCP Tool EruptDataQuery.java EruptDataQuery sql injection

https://vuldb.com/?id.352430

Signature, Permissions Required signature permissions-required

VDB-352430 | CTI Indicators (IOB, IOC, IOA)

https://vuldb.com/?ctiid.352430

Third Party Advisory third-party-advisory

Submit #775593 | erupts erupt erupt ≤ 1.13.3 Improper Input Validation

https://vuldb.com/?submit.775593

Exploit exploit

https://fx4tqqfvdw4.feishu.cn/docx/EunDdwORZoG3uzxpLykcj24mncJ?from=from_copylink

Scores

CVSS v3 6.3

EPSS 0.0019

EPSS Percentile 9.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-564 CWE-89

Status published

Products (4)

erupts/erupt 1.13.0

erupts/erupt 1.13.1

erupts/erupt 1.13.2

erupts/erupt 1.13.3

Published Mar 23, 2026

Tracked Since Mar 23, 2026