{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4593", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-22T11:59:29.171Z", "datePublished": "2026-03-23T16:55:59.020Z", "dateUpdated": "2026-03-25T14:19:46.730Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-23T16:55:59.020Z"}, "title": "erupts erupt MCP Tool EruptDataQuery.java EruptDataQuery sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-564", "lang": "en", "description": "SQL Injection Hibernate"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}], "affected": [{"vendor": "erupts", "product": "erupt", "versions": [{"version": "1.13.0", "status": "affected"}, {"version": "1.13.1", "status": "affected"}, {"version": "1.13.2", "status": "affected"}, {"version": "1.13.3", "status": "affected"}], "modules": ["MCP Tool Interface"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in erupts erupt bis 1.13.3. Affected by this vulnerability is the function EruptDataQuery of the file erupt-ai/src/main/java/xyz/erupt/ai/call/impl/EruptDataQuery.java of the component MCP Tool Interface. This manipulation causes sql injection hibernate. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-22T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-22T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-22T13:04:42.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "xcxr (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.352430", "name": "VDB-352430 | erupts erupt MCP Tool EruptDataQuery.java EruptDataQuery sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352430", "name": "VDB-352430 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.775593", "name": "Submit #775593 | erupts erupt erupt \u2264 1.13.3 Improper Input Validation", "tags": ["third-party-advisory"]}, {"url": "https://fx4tqqfvdw4.feishu.cn/docx/EunDdwORZoG3uzxpLykcj24mncJ?from=from_copylink", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:19:27.313965Z", "id": "CVE-2026-4593", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:19:46.730Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4593", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T14:19:27.313965Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:19:41.511Z"}}], "cna": {"title": "erupts erupt MCP Tool EruptDataQuery.java EruptDataQuery sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "xcxr (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "erupts", "modules": ["MCP Tool Interface"], "product": "erupt", "versions": [{"status": "affected", "version": "1.13.0"}, {"status": "affected", "version": "1.13.1"}, {"status": "affected", "version": "1.13.2"}, {"status": "affected", "version": "1.13.3"}]}], "timeline": [{"lang": "en", "time": "2026-03-22T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-22T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-22T13:04:42.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.352430", "name": "VDB-352430 | erupts erupt MCP Tool EruptDataQuery.java EruptDataQuery sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352430", "name": "VDB-352430 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.775593", "name": "Submit #775593 | erupts erupt erupt \u2264 1.13.3 Improper Input Validation", "tags": ["third-party-advisory"]}, {"url": "https://fx4tqqfvdw4.feishu.cn/docx/EunDdwORZoG3uzxpLykcj24mncJ?from=from_copylink", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in erupts erupt bis 1.13.3. Affected by this vulnerability is the function EruptDataQuery of the file erupt-ai/src/main/java/xyz/erupt/ai/call/impl/EruptDataQuery.java of the component MCP Tool Interface. This manipulation causes sql injection hibernate. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-564", "description": "SQL Injection Hibernate"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-23T16:55:59.020Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4593", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:19:46.730Z", "dateReserved": "2026-03-22T11:59:29.171Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-23T16:55:59.020Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in erupts erupt bis 1.13.3. Affected by this vulnerability is the function EruptDataQuery of the file erupt-ai/src/main/java/xyz/erupt/ai/call/impl/EruptDataQuery.java of the component MCP Tool Interface. This manipulation causes sql injection hibernate. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha encontrado una falla en erupts erupt bis 1.13.3. Afectada por esta vulnerabilidad es la funci\u00f3n EruptDataQuery del archivo erupt-ai/src/main/java/xyz/erupt/ai/call/impl/EruptDataQuery.java del componente MCP Tool Interface. Esta manipulaci\u00f3n causa inyecci\u00f3n SQL hibernate. Es posible iniciar el ataque remotamente. El exploit ha sido publicado y puede ser usado. El proveedor fue contactado tempranamente sobre esta divulgaci\u00f3n pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2026-4593", "lastModified": "2026-03-24T15:54:09.400", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-23T17:16:57.977", "references": [{"source": "cna@vuldb.com", "url": "https://fx4tqqfvdw4.feishu.cn/docx/EunDdwORZoG3uzxpLykcj24mncJ?from=from_copylink"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.352430"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.352430"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.775593"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}, {"lang": "en", "value": "CWE-564"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.13.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.13.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.13.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.13.3"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "erupt", "source": "cna", "vendor": "erupts"}, "product": "erupt", "vendor": "erupt"}], "analysis": {"en": {"generated_at": "2026-03-23T18:50:35.213263+00:00", "value": {"mitigation_remediation": ["Apply any available patch or newer release from the vendor that addresses the EruptDataQuery SQL injection.", "If no patch is available, upgrade to a version that is not affected by this vulnerability.", "Restrict the database account used by the application to the minimum privileges required for normal operation.", "Implement input validation or use prepared statements in the application to reduce the risk of SQL injection.", "Deploy a web application firewall or database activity monitoring to detect suspicious queries.", "Monitor the vendor\u2019s security advisories and respond promptly to any updates."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection allowing remote database manipulation"}, "threat_synthesis": {"affected_systems": "The affected product is erupts: erupt, specifically version 1.13.3 of the erupt-ai component. The vulnerability resides in the file erupt-ai/src/main/java/xyz/erupt/ai/call/impl/EruptDataQuery.java of the MCP Tool Interface. Deployments using this exact release are at risk if no update is applied.", "description_and_impact": "The flaw occurs in the EruptDataQuery function of the MCP Tool Interface, enabling users to inject arbitrary SQL statements into the underlying database through Hibernate. This vulnerability can lead to unauthorized database access, such as reading, modifying or deleting sensitive data. The description confirms that the injection can be triggered remotely and that a published exploit exists.", "risk_and_exploitability": "The CVSS score of 5.3 classifies the vulnerability as moderate severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog. However, the description indicates that the exploit can be performed remotely over the network and that an exploit has already been published, increasing the likelihood of real-world attacks. The overall risk remains moderate, with unpatched deployments susceptible to database compromise."}}}}, "created": "2026-03-24T10:33:32.275212+00:00", "updated": "2026-03-25T20:37:23.045001+00:00", "vendors": ["erupt", "erupt$PRODUCT$erupt"]}