CVE-2026-31040: stata-mcp has insufficient validation of user-supplied Stata do-file content that can lead to command execution

April 8, 2026

A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution.

References

github.com/SepineTam/stata-mcp/commit/52413ce
github.com/SepineTam/stata-mcp/issues/20
github.com/SepineTam/stata-mcp/pull/21
github.com/SepineTam/stata-mcp/releases/tag/v1.13.0
github.com/advisories/GHSA-jpcj-7wfg-mqxv
github.com/sepinetam/stata-mcp
nvd.nist.gov/vuln/detail/CVE-2026-31040

Code Behaviors & Features

Detect and mitigate CVE-2026-31040 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →