PT-2026-35575 · Unknown · Sqlite-Mcp

Smallw

Published

2026-04-28

Updated

2026-04-28

CVE-2026-7206

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions dubydu sqlite-mcp versions prior to 0.1.1

Description A flaw in the extract to json() function within the src/entry.py file allows for remote SQL injection. This occurs when the output filename argument is manipulated, enabling an attacker to execute unauthorized SQL commands.

Recommendations Apply patch a5580cb992f4f6c308c9ffe6442b2e76709db548. As a temporary workaround, restrict or avoid the use of the output filename argument in the extract to json() function.

Exploit

Fix

Special Elements Injection

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-89

Related Identifiers

CVE-2026-7206

GHSA-4J28-22QP-RJCF

Affected Products

Sqlite-Mcp

PT-2026-35575 · Unknown · Sqlite-Mcp

CVE-2026-7206

Weakness Enumeration

Related Identifiers

Affected Products

References · 12