Arbitrary Command Injection Affecting stata-mcp package, versions [,1.17.3)


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.63% (71st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Command Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-STATAMCP-17670579
  • published29 Jun 2026
  • disclosed4 Jun 2026
  • creditSepineTam

Introduced: 4 Jun 2026

NewCVE-2026-47708  (opens in a new tab)
CWE-77  (opens in a new tab)

How to fix?

Upgrade stata-mcp to version 1.17.3 or higher.

Overview

stata-mcp is a Let LLM help you achieve your regression analysis with Stata

Affected versions of this package are vulnerable to Arbitrary Command Injection via the log_file_name parameter in the Stata command wrapper. An attacker can execute arbitrary commands and write files outside the intended directory by supplying specially crafted input containing quotes, newlines, or command separators.

CVSS Base Scores

version 4.0
version 3.1