| Titel | erupts erupt erupt ≤ 1.13.3 Improper Input Validation |
|---|
| Beschreibung | Erupt contains an arbitrary HQL (Hibernate Query Language) execution vulnerability in the MCP (Model Context Protocol) tool interface. The EruptDataQuery function accepts user-controlled HQL queries without validation or sanitization, allowing authenticated attackers with OpenAPI credentials to execute arbitrary database queries and extract sensitive data. |
|---|
| Quelle | ⚠️ https://fx4tqqfvdw4.feishu.cn/docx/EunDdwORZoG3uzxpLykcj24mncJ?from=from_copylink |
|---|
| Benutzer | xcxr (UID 86629) |
|---|
| Einreichung | 09.03.2026 07:49 (vor 2 Monaten) |
|---|
| Moderieren | 22.03.2026 12:59 (13 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 352430 [erupts erupt bis 1.13.3 MCP Tool Interface EruptDataQuery.java EruptDataQuery SQL Injection] |
|---|
| Punkte | 19 |
|---|