CVE-2026-5322 (CVSS 7.3, CWE-89) is an unauthenticated SQL injection in the Request function of mcp-data-vis, an open-source MCP data visualization tool with no versioned releases and no vendor patch available. The exploit is publicly disclosed, all deployed instances are considered affected, and the vendor has not responded. Immediate remediation requires either removing the component from the environment or applying manual parameterized query fixes to src/servers/database/server.js before any redeployment from confirmed affected commits.