| Title | AlejandroArciniegas mcp-data-vis 1.0.0 SQL Injection |
|---|
| Description | AlejandroArciniegas mcp-data-vis contains an SQL injection vulnerability in src/servers/database/server.js. The create_table tool constructs a CREATE TABLE statement by embedding an attacker-controlled schema value directly into SQL text and executes it with db.exec() without parameterization or strict validation. An attacker who can invoke the vulnerable MCP handler can execute unintended SQL statements against the application's SQLite database, which may result in unauthorized data access, modification, or deletion. |
|---|
| Source | ⚠️ https://github.com/wing3e/public_exp/issues/19 |
|---|
| User | BigW (UID 96422) |
|---|
| Submission | 03/16/2026 10:23 (19 days ago) |
|---|
| Moderation | 04/01/2026 15:03 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 354654 [AlejandroArciniegas mcp-data-vis MCP server.js request sql injection] |
|---|
| Points | 20 |
|---|