{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31040", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T20:19:10.339Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-08T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-08T15:06:06.312Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/SepineTam/stata-mcp/issues/20"}, {"url": "https://github.com/SepineTam/stata-mcp/pull/21"}, {"url": "https://github.com/SepineTam/stata-mcp/commit/52413ce"}, {"url": "https://github.com/SepineTam/stata-mcp/releases/tag/v1.13.0"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "references": [{"url": "https://github.com/SepineTam/stata-mcp/issues/20", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T18:23:38.978894Z", "id": "CVE-2026-31040", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:19:10.339Z"}}]}, "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:statamcp:stata-mcp:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD23CBFB-6391-4291-9380-AE45481E555A", "versionEndExcluding": "1.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution."}], "id": "CVE-2026-31040", "lastModified": "2026-04-14T19:31:55.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T16:16:22.977", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/SepineTam/stata-mcp/commit/52413ce"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory", "Issue Tracking"], "url": "https://github.com/SepineTam/stata-mcp/issues/20"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://github.com/SepineTam/stata-mcp/pull/21"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/SepineTam/stata-mcp/releases/tag/v1.13.0"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Issue Tracking"], "url": "https://github.com/SepineTam/stata-mcp/issues/20"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.13.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "stata-mcp", "vendor": "sepinetam"}], "analysis": {"en": {"generated_at": "2026-04-14T21:30:17.108998+00:00", "value": {"mitigation_remediation": ["Update to the latest release of stata\u2011mcp (v1.13.0 or newer) to eliminate the injection flaw.", "Restrict which users can supply do\u2011file content to the application to prevent accidental or malicious execution of code."], "summary": {"action": "Immediate Patch", "impact": "Command Execution via Unvalidated Stata Do\u2011File"}, "threat_synthesis": {"affected_systems": "The defect exists in the stata\u2011mcp package. All releases prior to version 1.13.0 are vulnerable; versions 1.13.0 and later contain the fix.", "description_and_impact": "A flaw in the stata\u2011mcp application allows an attacker to inject and execute arbitrary Stata commands by supplying specially crafted do\u2011file content. This leads to direct command execution on the host running the application, compromising confidentiality, integrity, and availability of the affected system. The weakness is a classic code injection flaw (CWE\u201194).", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.8, indicating critical severity. Its EPSS score is under 1%, suggesting a low probability of mass exploitation in the wild, and it is not cataloged in the CISA KEV list. The likely attack path involves an adversary who can supply a malicious do\u2011file to the affected instance, triggering the injection and gaining local command execution rights. The high CVSS reflects the potential for complete compromise once the injection is successful."}}}}, "created": "2026-04-08T19:44:46.013027+00:00", "updated": "2026-04-15T16:15:11.961648+00:00", "vendors": ["sepinetam", "sepinetam$PRODUCT$stata-mcp"]}