sqlite-mcp has an Injection issue
Moderate severity
GitHub Reviewed
Published
Apr 28, 2026
to the GitHub Advisory Database
•
Updated May 6, 2026
Description
Published by the National Vulnerability Database
Apr 28, 2026
Published to the GitHub Advisory Database
Apr 28, 2026
Reviewed
May 6, 2026
Last updated
May 6, 2026
A security flaw has been discovered in dubydu sqlite-mcp up to 0.1.0. The affected element is the function extract_to_json of the file src/entry.py. Performing a manipulation of the argument output_filename results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The patch is named a5580cb992f4f6c308c9ffe6442b2e76709db548. Applying a patch is the recommended action to fix this issue.
References