Skip to main content

Stata Mcp CVE-2026-31040

| EUVDEUVD-2026-20475 CRITICAL
Code Injection (CWE-94)
2026-04-08 cve@mitre.org GHSA-jpcj-7wfg-mqxv
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 16:22 euvd
EUVD-2026-20475
Analysis Generated
Apr 08, 2026 - 16:22 vuln.today
CVE Published
Apr 08, 2026 - 16:16 nvd
CRITICAL 9.8

DescriptionCVE.org

A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution.

AnalysisAI

Remote code execution via command injection in stata-mcp versions before 1.13.0 allows unauthenticated attackers to execute arbitrary commands through insufficiently validated Stata do-file content. The vulnerability stems from CWE-94 improper control of code generation, enabling network-accessible exploitation without user interaction. CVSS 9.8 (Critical) reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%, percentile 6%).

Technical ContextAI

CWE-94 code injection flaw in stata-mcp's do-file parser permits attacker-controlled input to be interpreted as executable commands. CVSS vector AV:N/AC:L/PR:N indicates remotely exploitable with low complexity and no authentication barrier. Vulnerable code inadequately sanitizes user-supplied Stata script content before execution, creating command injection surface.

RemediationAI

Vendor-released patch: upgrade to stata-mcp v1.13.0 immediately, available at https://github.com/SepineTam/stata-mcp/releases/tag/v1.13.0. Version 1.13.0 addresses the command injection vulnerability via commit 52413ce (https://github.com/SepineTam/stata-mcp/commit/52413ce) and PR #21 (https://github.com/SepineTam/stata-mcp/pull/21). No workarounds provide equivalent protection; upgrading is mandatory. Identify all instances processing untrusted do-file content and prioritize patching internet-facing deployments. If immediate upgrade is infeasible, discontinue processing external do-file input until patched. Vulnerability details: https://nvd.nist.gov/vuln/detail/CVE-2026-31040 and https://github.com/SepineTam/stata-mcp/issues/20.

Share

CVE-2026-31040 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy