Description
A vulnerability was detected in pskill9 website-downloader up to 0.1.0. This affects the function download_website of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument outputPath results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-02
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in pskill9 website-downloader version 0.1.0, identified as CWE-77 and CWE-78, allows an attacker to manipulate the outputPath argument in the download_website function, resulting in OS command injection. The injection can be triggered remotely, giving an attacker the ability to execute arbitrary shell commands on the host machine, thereby compromising confidentiality, integrity, and availability of the affected system. The CVSS score of 5.3 indicates moderate severity, and currently no public patch exists for this vulnerability.

Affected Systems

The vulnerability affects the pskill9 website-downloader package, up to and including version 0.1.0. No other variants or vendor products are listed as impacted.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity. While no EPSS score is available and the issue is not listed in CISA KEV, the lack of a public patch and the ability to trigger the attack remotely increase the risk. An attacker could exploit the flaw by sending a crafted request to the download_website endpoint, leading to arbitrary command execution on the host that runs the service.

Generated by OpenCVE AI on May 2, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Limit access to the download_website endpoint so that only authorized and trusted users can invoke it
  • Patch the application code to sanitize or strictly validate the outputPath parameter before it is used in a shell command, such as stripping metacharacters or using a whitelist approach
  • Monitor application logs for suspicious use of the download_website function or unexpected shell execution attempts
  • When an official patch becomes available, upgrade to the fixed version immediately

Generated by OpenCVE AI on May 2, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in pskill9 website-downloader up to 0.1.0. This affects the function download_website of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument outputPath results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title pskill9 website-downloader MCP index.ts download_website os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-02T14:30:13.246Z

Reserved: 2026-05-01T16:24:48.471Z

Link: CVE-2026-7642

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T15:16:14.047

Modified: 2026-05-02T15:16:14.047

Link: CVE-2026-7642

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T16:00:06Z

Weaknesses