{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31040", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T20:19:10.339Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-08T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-08T15:06:06.312Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/SepineTam/stata-mcp/issues/20"}, {"url": "https://github.com/SepineTam/stata-mcp/pull/21"}, {"url": "https://github.com/SepineTam/stata-mcp/commit/52413ce"}, {"url": "https://github.com/SepineTam/stata-mcp/releases/tag/v1.13.0"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "references": [{"url": "https://github.com/SepineTam/stata-mcp/issues/20", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T18:23:38.978894Z", "id": "CVE-2026-31040", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:19:10.339Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution."}], "id": "CVE-2026-31040", "lastModified": "2026-04-09T21:16:08.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T16:16:22.977", "references": [{"source": "cve@mitre.org", "url": "https://github.com/SepineTam/stata-mcp/commit/52413ce"}, {"source": "cve@mitre.org", "url": "https://github.com/SepineTam/stata-mcp/issues/20"}, {"source": "cve@mitre.org", "url": "https://github.com/SepineTam/stata-mcp/pull/21"}, {"source": "cve@mitre.org", "url": "https://github.com/SepineTam/stata-mcp/releases/tag/v1.13.0"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/SepineTam/stata-mcp/issues/20"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.13.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "stata-mcp", "vendor": "sepinetam"}], "analysis": {"en": {"generated_at": "2026-04-08T16:26:29.973511+00:00", "value": {"mitigation_remediation": ["Upgrade stata\u2011mcp to version 1.13.0 or later.", "Verify that the upgraded version includes stricter validation for Stata do\u2011file content.", "Restrict who can supply or execute do\u2011files, limiting potential misuse.", "If upgrading is not immediately possible, isolate the application from untrusted input and monitor for attempted command execution."], "summary": {"action": "Immediate Patch", "impact": "Command Execution"}, "threat_synthesis": {"affected_systems": "stata\u2011mcp versions earlier than 1.13.0 are affected. No specific vendor was identified; the product is the open\u2011source stata\u2011mcp tool, which is publicly available via GitHub. Systems running any pre\u20111.13.0 release of this software should be reviewed for exposure. ", "description_and_impact": "The vulnerability in stata\u2011mcp allows arbitrary command execution due to insufficient validation of user\u2011supplied Stata do\u2011file content. An attacker who can supply a malicious do\u2011file can cause the application to execute shell commands, potentially compromising system confidentiality, integrity, and availability. The weakness stems from a failure to sanitize or restrict executable code within user input, enabling code injection. ", "risk_and_exploitability": "Given the command\u2011execution capability, the risk is high. No CVSS score or EPSS data are provided, but the vulnerability permits full control over system commands, making exploitation straightforward if an attacker can supply a malicious do\u2011file. The likely attack vector is when the application processes user\u2011supplied content, whether from a local user or insecure remote input. As the vulnerability is not listed in the CISA KEV catalog, known exploits have not yet been reported, though the impact remains severe."}}}}, "created": "2026-04-08T19:44:46.013027+00:00", "title": "Command Execution via Unvalidated Stata Do\u2011File Content in stata-mcp", "updated": "2026-04-09T08:22:54.679005+00:00", "vendors": ["sepinetam", "sepinetam$PRODUCT$stata-mcp"], "weaknesses": ["CWE-78"]}