CVE-2026-7206: SQL Injection in dubydu sqlite-mcp
A security flaw has been discovered in dubydu sqlite-mcp up to 0.1.0. The affected element is the function extract_to_json of the file src/entry.py. Performing a manipulation of the argument output_filename results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The patch is named a5580cb992f4f6c308c9ffe6442b2e76709db548. Applying a patch is the recommended action to fix this issue.
AI Analysis
Technical Summary
The vulnerability CVE-2026-7206 affects dubydu sqlite-mcp up to version 0.1.0. It is caused by improper handling of the output_filename parameter in the extract_to_json function in src/entry.py, allowing an attacker to perform SQL injection. This can be exploited remotely without privileges or user interaction, potentially leading to unauthorized database access or manipulation. A patch commit a5580cb992f4f6c308c9ffe6442b2e76709db548 is available to fix this issue. The CVSS 4.0 base score is 6.9, indicating medium severity. No cloud service is involved, and no official remediation level is specified in the provided data.
Potential Impact
Successful exploitation allows remote attackers to execute arbitrary SQL commands via the output_filename argument, potentially compromising the integrity and confidentiality of the database managed by sqlite-mcp. This could lead to unauthorized data access or modification. The vulnerability does not require privileges or user interaction, increasing its risk. Public exploit code availability raises the likelihood of attacks.
Mitigation Recommendations
A patch identified by commit a5580cb992f4f6c308c9ffe6442b2e76709db548 has been released and applying it is the recommended remediation. Since no official vendor advisory or patch link is provided, users should verify patch availability and apply the fix from the official dubydu repository or vendor channels. Until patched, avoid exposing the vulnerable function to untrusted inputs.
CVE-2026-7206: SQL Injection in dubydu sqlite-mcp
Description
A security flaw has been discovered in dubydu sqlite-mcp up to 0.1.0. The affected element is the function extract_to_json of the file src/entry.py. Performing a manipulation of the argument output_filename results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The patch is named a5580cb992f4f6c308c9ffe6442b2e76709db548. Applying a patch is the recommended action to fix this issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-7206 affects dubydu sqlite-mcp up to version 0.1.0. It is caused by improper handling of the output_filename parameter in the extract_to_json function in src/entry.py, allowing an attacker to perform SQL injection. This can be exploited remotely without privileges or user interaction, potentially leading to unauthorized database access or manipulation. A patch commit a5580cb992f4f6c308c9ffe6442b2e76709db548 is available to fix this issue. The CVSS 4.0 base score is 6.9, indicating medium severity. No cloud service is involved, and no official remediation level is specified in the provided data.
Potential Impact
Successful exploitation allows remote attackers to execute arbitrary SQL commands via the output_filename argument, potentially compromising the integrity and confidentiality of the database managed by sqlite-mcp. This could lead to unauthorized data access or modification. The vulnerability does not require privileges or user interaction, increasing its risk. Public exploit code availability raises the likelihood of attacks.
Mitigation Recommendations
A patch identified by commit a5580cb992f4f6c308c9ffe6442b2e76709db548 has been released and applying it is the recommended remediation. Since no official vendor advisory or patch link is provided, users should verify patch availability and apply the fix from the official dubydu repository or vendor channels. Until patched, avoid exposing the vulnerable function to untrusted inputs.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-27T14:05:13.793Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f008add3d5ab9102728438
Added to database: 4/28/2026, 1:09:01 AM
Last enriched: 4/28/2026, 1:24:49 AM
Last updated: 4/28/2026, 3:10:45 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.