Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution.
AnalysisAI
Remote code execution via command injection in stata-mcp versions before 1.13.0 allows unauthenticated attackers to execute arbitrary commands through insufficiently validated Stata do-file content. The vulnerability stems from CWE-94 improper control of code generation, enabling network-accessible exploitation without user interaction. CVSS 9.8 (Critical) reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%, percentile 6%).
Technical ContextAI
CWE-94 code injection flaw in stata-mcp's do-file parser permits attacker-controlled input to be interpreted as executable commands. CVSS vector AV:N/AC:L/PR:N indicates remotely exploitable with low complexity and no authentication barrier. Vulnerable code inadequately sanitizes user-supplied Stata script content before execution, creating command injection surface.
RemediationAI
Vendor-released patch: upgrade to stata-mcp v1.13.0 immediately, available at https://github.com/SepineTam/stata-mcp/releases/tag/v1.13.0. Version 1.13.0 addresses the command injection vulnerability via commit 52413ce (https://github.com/SepineTam/stata-mcp/commit/52413ce) and PR #21 (https://github.com/SepineTam/stata-mcp/pull/21). No workarounds provide equivalent protection; upgrading is mandatory. Identify all instances processing untrusted do-file content and prioritize patching internet-facing deployments. If immediate upgrade is infeasible, discontinue processing external do-file input until patched. Vulnerability details: https://nvd.nist.gov/vuln/detail/CVE-2026-31040 and https://github.com/SepineTam/stata-mcp/issues/20.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20475
GHSA-jpcj-7wfg-mqxv