Home

Description

A security flaw has been discovered in dubydu sqlite-mcp up to 0.1.0. The affected element is the function extract_to_json of the file src/entry.py. Performing a manipulation of the argument output_filename results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The patch is named a5580cb992f4f6c308c9ffe6442b2e76709db548. Applying a patch is the recommended action to fix this issue.

PUBLISHED Reserved 2026-04-27 | Published 2026-04-28 | Updated 2026-04-28 | Assigner VulDB




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
HIGH: 7.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
7.5AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

SQL Injection

Injection

Product status

0.1.0
affected

Timeline

2026-04-27:Advisory disclosed
2026-04-27:VulDB entry created
2026-04-27:VulDB entry last update

Credits

SmallW (VulDB User) reporter

References

github.com/dubydu/sqlite-mcp/issues/1 exploit

vuldb.com/vuln/359806 (VDB-359806 | dubydu sqlite-mcp entry.py extract_to_json sql injection) vdb-entry technical-description

vuldb.com/vuln/359806/cti (VDB-359806 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/submit/802081 (Submit #802081 | dubydu sqlite-mcp 0.1.0 Pathname Traversal) third-party-advisory

github.com/dubydu/sqlite-mcp/issues/1 exploit issue-tracking

github.com/dubydu/sqlite-mcp/pull/2 issue-tracking patch

github.com/...ommit/a5580cb992f4f6c308c9ffe6442b2e76709db548 patch

github.com/dubydu/sqlite-mcp/ product

cve.org (CVE-2026-7206)

nvd.nist.gov (CVE-2026-7206)

Download JSON