{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31040", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T20:19:10.339Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-08T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-08T15:06:06.312Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/SepineTam/stata-mcp/issues/20"}, {"url": "https://github.com/SepineTam/stata-mcp/pull/21"}, {"url": "https://github.com/SepineTam/stata-mcp/commit/52413ce"}, {"url": "https://github.com/SepineTam/stata-mcp/releases/tag/v1.13.0"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "references": [{"url": "https://github.com/SepineTam/stata-mcp/issues/20", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T18:23:38.978894Z", "id": "CVE-2026-31040", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:19:10.339Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution."}], "id": "CVE-2026-31040", "lastModified": "2026-04-09T21:16:08.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T16:16:22.977", "references": [{"source": "cve@mitre.org", "url": "https://github.com/SepineTam/stata-mcp/commit/52413ce"}, {"source": "cve@mitre.org", "url": "https://github.com/SepineTam/stata-mcp/issues/20"}, {"source": "cve@mitre.org", "url": "https://github.com/SepineTam/stata-mcp/pull/21"}, {"source": "cve@mitre.org", "url": "https://github.com/SepineTam/stata-mcp/releases/tag/v1.13.0"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/SepineTam/stata-mcp/issues/20"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.13.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "stata-mcp", "vendor": "sepinetam"}], "analysis": {"en": {"generated_at": "2026-04-09T22:47:46.973616+00:00", "value": {"mitigation_remediation": ["Upgrade the stata\u2011mcp package to version 1.13.0 or later, which removes the unvalidated do\u2011file handling.", "If an upgrade is not feasible, limit do\u2011file execution to a whitelist of trusted users or directories and review external do\u2011file content before running.", "Contain the Stata process using OS\u2011level controls such as containerization or chroot to restrict its privileges, thereby reducing the potential impact of a successful exploit.", "Monitor Stata logs for unexpected system command execution and investigate any deviations from normal usage patterns."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary command execution"}, "threat_synthesis": {"affected_systems": "The vulnerable component is the stata\u2011mcp package for Stata, affecting all releases before v1.13.0. Any environment that installs or uses this package and processes do\u2011files from untrusted sources is at risk. The product is an open\u2011source module, so there is no formal vendor but the repository hosts the code.", "description_and_impact": "The flaw occurs when user\u2011supplied Stata do\u2011file content is not properly validated in stata\u2011mcp versions prior to 1.13.0, permitting injection of arbitrary operating\u2011system commands. This constitutes a command\u2011injection weakness (CWE\u201178) coupled with a code\u2011injection flaw (CWE\u201194). An attacker who can supply a malicious do\u2011file could run arbitrary code with the privileges of the Stata process, potentially compromising the entire host, its data, and connected services.", "risk_and_exploitability": "The CVSS score of 9.8 signals critical severity, yet the EPSS score of less than 1\u202f% indicates that exploitation in the wild has not yet been seen, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a crafted do\u2011file to the Stata session; the likely attack vector is local execution by a user or an automated process that evaluates external files. Therefore, the risk is high for systems that trust arbitrary do\u2011file content, but low if such content is strictly controlled."}}}}, "created": "2026-04-08T19:44:46.013027+00:00", "updated": "2026-04-10T09:41:14.003294+00:00", "vendors": ["sepinetam", "sepinetam$PRODUCT$stata-mcp"]}