CVE-2026-11529

EUVD-2026-35108

08.06.2026, 16:16

A vulnerability was determined in designcomputer mysql-mcp-server up to 0.2.2. The impacted element is the function read_resource of the file src/mysql_mcp_server/server.py of the component mysql URI Handler. This manipulation of the argument uri_str causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.3.0 is sufficient to resolve this issue. Patch name: 080bef9a96d625ce0dfbde573a08b93497871981. Upgrading the affected component is advised.

Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 14%

Common Weakness Enumeration

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References

https://github.com/designcomputer/mysql_mcp_server/commit/080bef9a96d625ce0dfbde573a08b93497871981

https://github.com/designcomputer/mysql_mcp_server/issues/89

https://github.com/designcomputer/mysql_mcp_server/pull/86

https://github.com/designcomputer/mysql_mcp_server/releases/tag/v0.3.0

https://vuldb.com/cve/CVE-2026-11529

https://vuldb.com/submit/836490

https://vuldb.com/vuln/369146

https://vuldb.com/vuln/369146/cti