CVE-2026-7206: SQL Injection in dubydu sqlite-mcp
CVE-2026-7206 is a medium severity SQL injection vulnerability in the dubydu sqlite-mcp product version 0.1.0. The flaw exists in the extract_to_json function within src/entry.py, where manipulation of the output_filename argument can lead to SQL injection. This vulnerability can be exploited remotely without authentication or user interaction. A patch identified by commit a5580cb992f4f6c308c9ffe6442b2e76709db548 has been released to fix the issue. No known exploits are reported in the wild at this time.
AI Analysis
Technical Summary
The vulnerability CVE-2026-7206 affects dubydu sqlite-mcp up to version 0.1.0. It is caused by improper handling of the output_filename argument in the extract_to_json function in src/entry.py, allowing an attacker to perform SQL injection remotely. The vulnerability has a CVSS 4.0 base score of 6.9, indicating medium severity with network attack vector, low complexity, no privileges required, and no user interaction needed. A patch commit a5580cb992f4f6c308c9ffe6442b2e76709db548 has been published to remediate this issue.
Potential Impact
Successful exploitation of this vulnerability allows an unauthenticated remote attacker to execute arbitrary SQL commands on the affected system via the output_filename parameter. This can lead to unauthorized data access or modification. The CVSS score of 6.9 reflects a medium severity impact with potential for partial confidentiality, integrity, and availability loss.
Mitigation Recommendations
A patch identified by commit a5580cb992f4f6c308c9ffe6442b2e76709db548 is available and should be applied to affected versions of dubydu sqlite-mcp (up to 0.1.0) to remediate this SQL injection vulnerability. Since the product is not a cloud service, users must manually apply this patch. No other vendor advisory details are available, so check the official dubydu project repository or vendor channels for the patch and further instructions.
CVE-2026-7206: SQL Injection in dubydu sqlite-mcp
Description
CVE-2026-7206 is a medium severity SQL injection vulnerability in the dubydu sqlite-mcp product version 0.1.0. The flaw exists in the extract_to_json function within src/entry.py, where manipulation of the output_filename argument can lead to SQL injection. This vulnerability can be exploited remotely without authentication or user interaction. A patch identified by commit a5580cb992f4f6c308c9ffe6442b2e76709db548 has been released to fix the issue. No known exploits are reported in the wild at this time.
CVSS v4.0
Score 6.9medium
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-7206 affects dubydu sqlite-mcp up to version 0.1.0. It is caused by improper handling of the output_filename argument in the extract_to_json function in src/entry.py, allowing an attacker to perform SQL injection remotely. The vulnerability has a CVSS 4.0 base score of 6.9, indicating medium severity with network attack vector, low complexity, no privileges required, and no user interaction needed. A patch commit a5580cb992f4f6c308c9ffe6442b2e76709db548 has been published to remediate this issue.
Potential Impact
Successful exploitation of this vulnerability allows an unauthenticated remote attacker to execute arbitrary SQL commands on the affected system via the output_filename parameter. This can lead to unauthorized data access or modification. The CVSS score of 6.9 reflects a medium severity impact with potential for partial confidentiality, integrity, and availability loss.
Mitigation Recommendations
A patch identified by commit a5580cb992f4f6c308c9ffe6442b2e76709db548 is available and should be applied to affected versions of dubydu sqlite-mcp (up to 0.1.0) to remediate this SQL injection vulnerability. Since the product is not a cloud service, users must manually apply this patch. No other vendor advisory details are available, so check the official dubydu project repository or vendor channels for the patch and further instructions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-27T14:05:13.793Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f008add3d5ab9102728438
Added to database: 4/28/2026, 1:09:01 AM
Last enriched: 5/5/2026, 7:35:31 AM
Last updated: 6/12/2026, 6:34:29 AM
Views: 80
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.