A security flaw has been discovered in dubydu sqlite-mcp up to 0.1.0. The affected element is the function extract_to_json of the file src/entry.py. Performing a manipulation of the argument output_filename results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The patch is named a5580cb992f4f6c308c9ffe6442b2e76709db548. Applying a patch is the recommended action to fix this issue.
CVE-2026-7206
Score 7.3 from GitHub Security Advisory published 2026-04-28. NVD baseline CVSS 7.3; sources differ by 0.0.
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 7.3
- EG Score
- 7.3(medium)
- EPSS
- 19.7%
- KEV
- Not listed
Published
April 28, 2026
Last Modified
April 29, 2026
Advisory Details (4)
Auto-updated Jun 11, 2026sqlite-mcp Arbitrary JSON Write via `extract_to_json` Vulnerability · Issue #1 · dubydu/sqlite-mcp · GitHub
https://github.com/dubydu/sqlite-mcp/issues/1fix: patch path traversal vulnerability in extract_to_json
Fix merged in dubydu/sqlite-mcp PR #2 on 2026-04-10 — awaiting tagged release
https://github.com/dubydu/sqlite-mcp/pull/2commit a5580cb992f4 (dubydu/sqlite-mcp)
Fix landed in dubydu/sqlite-mcp commit a5580cb992f4 — awaiting tagged release
https://github.com/dubydu/sqlite-mcp/commit/a5580cb992f4f6c308c9ffe6442b2e76709db548GitHub - dubydu/sqlite-mcp: A lightweight Model Context Protocol (MCP) server that enables Large Language Models (LLMs) to autonomously interact with SQLite databases. · GitHub
https://github.com/dubydu/sqlite-mcp/Patch Availability(1)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| pip | sqlite-mcp | — | ghsa |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| sqlite-mcp | 0.1.0 | — | — |
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 8× in last 7d / 40× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-16 17:03 UTCEPSS rescore
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 02:00 UTCEPSS rescore
- 2026-07-13 22:31 UTCEPSS rescore
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 02:31 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-01 15:07 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
Show 73 moreShow fewer
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-25 13:50 UTCEPSS rescore
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-19 19:26 UTCEPSS rescore
- 2026-06-19 19:26 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-17 17:53 UTCEPSS rescore
- 2026-06-16 17:53 UTCEPSS rescore
- 2026-06-15 17:49 UTCEPSS rescore
- 2026-06-15 17:49 UTCEPSS rescore
- 2026-06-14 23:18 UTCEPSS rescore
- 2026-06-14 20:51 UTCGHSA enrichment
- 2026-06-14 09:58 UTCGHSA enrichment
- 2026-06-13 23:00 UTCEPSS rescore
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 07:37 UTCGHSA enrichment
- 2026-06-11 20:44 UTCGHSA enrichment
- 2026-06-11 14:00 UTCEPSS rescore
- 2026-06-11 09:51 UTCGHSA enrichment
- 2026-06-10 22:19 UTCEPSS rescore
- 2026-06-10 21:35 UTCGHSA enrichment
- 2026-06-10 13:22 UTCEPSS rescore
- 2026-06-10 10:42 UTCGHSA enrichment
- 2026-06-09 23:38 UTCGHSA enrichment
- 2026-06-09 10:58 UTCGHSA enrichment
- 2026-06-09 00:05 UTCGHSA enrichment
- 2026-06-08 14:17 UTCEPSS rescore
- 2026-06-08 11:15 UTCGHSA enrichment
- 2026-06-08 00:22 UTCGHSA enrichment
- 2026-06-07 15:25 UTCEPSS rescore
- 2026-06-07 13:30 UTCGHSA enrichment
- 2026-06-07 02:25 UTCGHSA enrichment
- 2026-06-06 15:32 UTCGHSA enrichment
- 2026-06-06 13:47 UTCEPSS rescore
- 2026-06-06 03:53 UTCGHSA enrichment
- 2026-06-05 22:47 UTCEPSS rescore
- 2026-06-05 16:34 UTCGHSA enrichment
- 2026-06-05 06:10 UTCEPSS rescore
- 2026-06-05 05:40 UTCGHSA enrichment
- 2026-06-04 18:48 UTCGHSA enrichment
- 2026-06-04 13:12 UTCEPSS rescore
- 2026-06-04 07:56 UTCGHSA enrichment
- 2026-06-03 18:59 UTCGHSA enrichment
- 2026-06-03 08:06 UTCGHSA enrichment
- 2026-06-02 20:26 UTCGHSA enrichment
- 2026-06-02 09:33 UTCGHSA enrichment
- 2026-06-01 22:24 UTCGHSA enrichment
- 2026-06-01 13:52 UTCEPSS rescore
- 2026-06-01 11:31 UTCGHSA enrichment
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 00:16 UTCEPSS rescore
- 2026-05-29 13:44 UTCEPSS rescore
- 2026-05-29 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-26 13:44 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-21 22:43 UTCEPSS rescore
- 2026-05-20 22:38 UTCEPSS rescore
- 2026-05-20 15:23 UTCEG score recompute
- 2026-05-20 15:23 UTCGHSA enrichment
- 2026-05-20 11:22 UTCEPSS rescore
Related CVEs(same CWE)
Frequently asked(5)
What is CVE-2026-7206?
When was CVE-2026-7206 disclosed?
Is CVE-2026-7206 actively exploited?
What is the CVSS score of CVE-2026-7206?
How do I remediate CVE-2026-7206?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-7206
Is Your Infrastructure Affected by CVE-2026-7206?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.