Is there a public PoC exploit available for CVE-2026-11529?

Yes, a public proof-of-concept exploit is available for CVE-2026-11529. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2026-11529?

Yes, a patch is available for CVE-2026-11529. Update the affected software to the latest version immediately.

mysql-mcp-server CVE-2026-11529

Q: What is the CVSS score of CVE-2026-11529?

CVE-2026-11529 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-35108 LOW

SQL Injection (CWE-89)

2026-06-08 VulDB

GHSA-mvq4-39wx-6h5g

SQLi Mysql Mcp Server

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Jun 08, 2026 - 16:22 NVD

MEDIUM LOW

CVSS changed

Jun 08, 2026 - 16:22 NVD

6.3 (MEDIUM) 2.1 (LOW)

Source Code Evidence Fetched

Jun 08, 2026 - 16:19 vuln.today

Analysis Generated

Jun 08, 2026 - 16:19 vuln.today

CVE Published

Jun 08, 2026 - 15:30 nvd

MEDIUM 6.3

DescriptionCVE.org

A vulnerability was determined in designcomputer mysql-mcp-server up to 0.2.2. The impacted element is the function read_resource of the file src/mysql_mcp_server/server.py of the component mysql URI Handler. This manipulation of the argument uri_str causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.3.0 is sufficient to resolve this issue. Patch name: 080bef9a96d625ce0dfbde573a08b93497871981. Upgrading the affected component is advised.

AnalysisAI

SQL injection in designcomputer mysql-mcp-server (versions up to 0.2.2) allows authenticated remote attackers to execute arbitrary SQL via a crafted mysql:// URI passed to the read_resource function in server.py. The vulnerability stems from insufficient validation of the table-name segment in mysql://database/<name> URIs before interpolation into MySQL queries. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain low-privilege MCP client access

Delivery

Craft malicious mysql://database/<SQLi_payload> URI

Exploit

Submit URI to read_resource endpoint

Execution

Bypass absent table-name validation

Persist

Execute injected SQL against backend MySQL

Impact

Exfiltrate or manipulate database contents