Description
A flaw has been found in erupts erupt bis 1.13.3. Affected by this vulnerability is the function EruptDataQuery of the file erupt-ai/src/main/java/xyz/erupt/ai/call/impl/EruptDataQuery.java of the component MCP Tool Interface. This manipulation causes sql injection hibernate. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing remote database manipulation
Action: Immediate Patch
AI Analysis

Impact

The flaw occurs in the EruptDataQuery function of the MCP Tool Interface, enabling users to inject arbitrary SQL statements into the underlying database through Hibernate. This vulnerability can lead to unauthorized database access, such as reading, modifying or deleting sensitive data. The description confirms that the injection can be triggered remotely and that a published exploit exists.

Affected Systems

The affected product is erupts: erupt, specifically version 1.13.3 of the erupt-ai component. The vulnerability resides in the file erupt-ai/src/main/java/xyz/erupt/ai/call/impl/EruptDataQuery.java of the MCP Tool Interface. Deployments using this exact release are at risk if no update is applied.

Risk and Exploitability

The CVSS score of 5.3 classifies the vulnerability as moderate severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog. However, the description indicates that the exploit can be performed remotely over the network and that an exploit has already been published, increasing the likelihood of real-world attacks. The overall risk remains moderate, with unpatched deployments susceptible to database compromise.

Generated by OpenCVE AI on March 23, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available patch or newer release from the vendor that addresses the EruptDataQuery SQL injection.
  • If no patch is available, upgrade to a version that is not affected by this vulnerability.
  • Restrict the database account used by the application to the minimum privileges required for normal operation.
  • Implement input validation or use prepared statements in the application to reduce the risk of SQL injection.
  • Deploy a web application firewall or database activity monitoring to detect suspicious queries.
  • Monitor the vendor’s security advisories and respond promptly to any updates.

Generated by OpenCVE AI on March 23, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Erupt
Erupt erupt
Vendors & Products Erupt
Erupt erupt

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in erupts erupt bis 1.13.3. Affected by this vulnerability is the function EruptDataQuery of the file erupt-ai/src/main/java/xyz/erupt/ai/call/impl/EruptDataQuery.java of the component MCP Tool Interface. This manipulation causes sql injection hibernate. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title erupts erupt MCP Tool EruptDataQuery.java EruptDataQuery sql injection
Weaknesses CWE-564
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Erupt Erupt
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-25T14:19:46.730Z

Reserved: 2026-03-22T11:59:29.171Z

Link: CVE-2026-4593

cve-icon Vulnrichment

Updated: 2026-03-25T14:19:41.511Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T17:16:57.977

Modified: 2026-03-24T15:54:09.400

Link: CVE-2026-4593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:37:23Z

Weaknesses