| 标题 | AlejandroArciniegas mcp-data-vis 1.0.0 SQL Injection |
|---|
| 描述 | AlejandroArciniegas mcp-data-vis contains an SQL injection vulnerability in src/servers/database/server.js. The create_table tool constructs a CREATE TABLE statement by embedding an attacker-controlled schema value directly into SQL text and executes it with db.exec() without parameterization or strict validation. An attacker who can invoke the vulnerable MCP handler can execute unintended SQL statements against the application's SQLite database, which may result in unauthorized data access, modification, or deletion. |
|---|
| 来源 | ⚠️ https://github.com/wing3e/public_exp/issues/19 |
|---|
| 用户 | BigW (UID 96422) |
|---|
| 提交 | 2026-03-16 10時23分 (22 日前) |
|---|
| 管理 | 2026-04-01 15時03分 (16 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 354654 [AlejandroArciniegas mcp-data-vis MCP server.js request SQL注入] |
|---|
| 积分 | 20 |
|---|