EXECUTIVE SUMMARY:
CVE-2026-47708 with a CVSS score of 9.0 is a command‑injection flaw in the pip/stata-mcp package (versions prior to 1.17.3) that affects the `stata_do` API and CLI wrapper used to run Stata do‑files. The vulnerability arises because the `log_file_name` parameter is concatenated into a Stata command string without any sanitisation, allowing an attacker to close the quoted log‑file argument and inject additional Stata or system commands such as `shell`, `python`, or `erase`. Exploitation requires only the ability to invoke the MCP tool—either via the API or command line—and supply a crafted `log_file_name`; no privileged access or prior compromise of the target host is needed. Once triggered, the attacker can execute arbitrary shell commands on the host, write or overwrite files through path‑traversal in the log name, and effectively achieve remote code execution. The business impact includes potential full system compromise, data exfiltration, service disruption, and loss of integrity for any environment where Stata automation is used. Exploitation is possible whenever the vulnerable wrapper is used without input validation, and when the attacker can influence the log parameter.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-47708 with a CVSS score of 9.0 is a command‑injection flaw in the pip/stata-mcp package (versions prior to 1.17.3) that affects the `stata_do` API and CLI wrapper used to run Stata do‑files. The vulnerability arises because the `log_file_name` parameter is concatenated into a Stata command string without any sanitisation, allowing an attacker to close the quoted log‑file argument and inject additional Stata or system commands such as `shell`, `python`, or `erase`. Exploitation requires only the ability to invoke the MCP tool—either via the API or command line—and supply a crafted `log_file_name`; no privileged access or prior compromise of the target host is needed. Once triggered, the attacker can execute arbitrary shell commands on the host, write or overwrite files through path‑traversal in the log name, and effectively achieve remote code execution. The business impact includes potential full system compromise, data exfiltration, service disruption, and loss of integrity for any environment where Stata automation is used. Exploitation is possible whenever the vulnerable wrapper is used without input validation, and when the attacker can influence the log parameter.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-4p62-hqp5-g644