Submit #806812: pskill9 website-downloader Commit 5b399bebad1800ac6df5052b63eaea37117092b6 Command Injectioninfo

Titlepskill9 website-downloader Commit 5b399bebad1800ac6df5052b63eaea37117092b6 Command Injection
DescriptionA command injection vulnerability (CWE-78) has been identified in website-downloader version 0.1.0, specifically within the download_website MCP tool in src/index.ts. The tool constructs a wget command by concatenating user‑supplied url and outputPath arguments into a shell command string and executes it via child_process.exec without proper escaping or argument separation. An attacker with network access to the MCP interface can inject shell metacharacters through outputPath (e.g., ; id #) to execute arbitrary operating system commands with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and service disruption. No fixed version is available at the time of reporting.
Source⚠️ https://github.com/pskill9/website-downloader/issues/7
User
 BruceJqs (UID 97404)
Submission04/17/2026 06:27 (3 months ago)
Moderation05/01/2026 18:24 (14 days later)
StatusAccepted
VulDB entry360754 [pskill9 website-downloader up to 0.1.0 MCP Interface src/index.ts download_website outputPath os command injection]
Points20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!