Description
A vulnerability was detected in Dayoooun hwpx-mcp 0.2.0. This affects the function save_document/export_to_text/export_to_html of the file mcp-server/src/index.ts of the component MCP Interface. Performing a manipulation of the argument output_path results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a path traversal flaw in the export_to_html function of Dayoooun hwpx-mcp version 0.2.0. By manipulating the output_path argument, an attacker can traverse to arbitrary files on the host filesystem, enabling the reading of sensitive data and, if permissions allow, the writing or execution of files, which could lead to remote code execution.

Affected Systems

Affected product: Dayoooun hwpx-mcp 0.2.0 – specifically the MCP Interface’s mcp-server component in the file mcp-server/src/index.ts. No other products or versions were identified as vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, but the description states that remote exploitation is possible and the exploit is publicly available. Since the vendor has not released a patch, the most likely attack vector is a remote client sending crafted output_path values to the export endpoint over the network. The risk remains until a fix is deployed or mitigations are applied.

Generated by OpenCVE AI on May 2, 2026 at 06:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dayoooun hwpx-mcp to a patched version as soon as it is released.
  • Limit the export functionality to trusted users only, or disable it entirely for unauthenticated access.
  • Apply tight file system permissions so the application process cannot read or write outside its intended directory.
  • Implement input validation to reject any output_path containing '..' or absolute paths.

Generated by OpenCVE AI on May 2, 2026 at 06:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Dayoooun hwpx-mcp 0.2.0. This affects the function save_document/export_to_text/export_to_html of the file mcp-server/src/index.ts of the component MCP Interface. Performing a manipulation of the argument output_path results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title Dayoooun hwpx-mcp MCP index.ts export_to_html path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-01T21:45:12.296Z

Reserved: 2026-05-01T10:47:05.673Z

Link: CVE-2026-7599

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-01T22:16:17.127

Modified: 2026-05-01T22:16:17.127

Link: CVE-2026-7599

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:00:06Z

Weaknesses