Description
A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution.
Published: 2026-04-08
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Command Execution via Unvalidated Stata Do‑File
Action: Immediate Patch
AI Analysis

Impact

A flaw in the stata‑mcp application allows an attacker to inject and execute arbitrary Stata commands by supplying specially crafted do‑file content. This leads to direct command execution on the host running the application, compromising confidentiality, integrity, and availability of the affected system. The weakness is a classic code injection flaw (CWE‑94).

Affected Systems

The defect exists in the stata‑mcp package. All releases prior to version 1.13.0 are vulnerable; versions 1.13.0 and later contain the fix.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating critical severity. Its EPSS score is under 1%, suggesting a low probability of mass exploitation in the wild, and it is not cataloged in the CISA KEV list. The likely attack path involves an adversary who can supply a malicious do‑file to the affected instance, triggering the injection and gaining local command execution rights. The high CVSS reflects the potential for complete compromise once the injection is successful.

Generated by OpenCVE AI on April 14, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest release of stata‑mcp (v1.13.0 or newer) to eliminate the injection flaw.
  • Restrict which users can supply do‑file content to the application to prevent accidental or malicious execution of code.

Generated by OpenCVE AI on April 14, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jpcj-7wfg-mqxv stata-mcp has insufficient validation of user-supplied Stata do-file content that can lead to command execution
History

Wed, 15 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title Command Injection via Unvalidated Stata Do‑File in stata‑mcp

Tue, 14 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Statamcp
Statamcp stata-mcp
CPEs cpe:2.3:a:statamcp:stata-mcp:*:*:*:*:*:*:*:*
Vendors & Products Statamcp
Statamcp stata-mcp

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Command Injection via Unvalidated Stata Do‑File in stata‑mcp

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title Command Execution via Unvalidated Stata Do‑File Content in stata-mcp
Weaknesses CWE-78

Thu, 09 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Sepinetam
Sepinetam stata-mcp
Vendors & Products Sepinetam
Sepinetam stata-mcp

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Command Execution via Unvalidated Stata Do‑File Content in stata-mcp
Weaknesses CWE-78

Wed, 08 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution.
References

Subscriptions

Sepinetam Stata-mcp
Statamcp Stata-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T20:19:10.339Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31040

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T16:16:22.977

Modified: 2026-04-14T19:31:55.037

Link: CVE-2026-31040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')