Description
A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution.
Published: 2026-04-08
Score: n/a
EPSS: n/a
KEV: No
Impact: Command Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in stata‑mcp allows arbitrary command execution due to insufficient validation of user‑supplied Stata do‑file content. An attacker who can supply a malicious do‑file can cause the application to execute shell commands, potentially compromising system confidentiality, integrity, and availability. The weakness stems from a failure to sanitize or restrict executable code within user input, enabling code injection.

Affected Systems

stata‑mcp versions earlier than 1.13.0 are affected. No specific vendor was identified; the product is the open‑source stata‑mcp tool, which is publicly available via GitHub. Systems running any pre‑1.13.0 release of this software should be reviewed for exposure.

Risk and Exploitability

Given the command‑execution capability, the risk is high. No CVSS score or EPSS data are provided, but the vulnerability permits full control over system commands, making exploitation straightforward if an attacker can supply a malicious do‑file. The likely attack vector is when the application processes user‑supplied content, whether from a local user or insecure remote input. As the vulnerability is not listed in the CISA KEV catalog, known exploits have not yet been reported, though the impact remains severe.

Generated by OpenCVE AI on April 8, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade stata‑mcp to version 1.13.0 or later.
  • Verify that the upgraded version includes stricter validation for Stata do‑file content.
  • Restrict who can supply or execute do‑files, limiting potential misuse.
  • If upgrading is not immediately possible, isolate the application from untrusted input and monitor for attempted command execution.

Generated by OpenCVE AI on April 8, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jpcj-7wfg-mqxv stata-mcp has insufficient validation of user-supplied Stata do-file content that can lead to command execution
History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Command Execution via Unvalidated Stata Do‑File Content in stata-mcp
Weaknesses CWE-78

Wed, 08 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-08T15:06:06.312Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31040

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T16:16:22.977

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-31040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:44:46Z

Weaknesses