| Title | pskill9 website-downloader Commit 5b399bebad1800ac6df5052b63eaea37117092b6 Command Injection |
|---|
| Description | A command injection vulnerability (CWE-78) has been identified in website-downloader version 0.1.0, specifically within the download_website MCP tool in src/index.ts. The tool constructs a wget command by concatenating user‑supplied url and outputPath arguments into a shell command string and executes it via child_process.exec without proper escaping or argument separation. An attacker with network access to the MCP interface can inject shell metacharacters through outputPath (e.g., ; id #) to execute arbitrary operating system commands with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and service disruption. No fixed version is available at the time of reporting. |
|---|
| Source | ⚠️ https://github.com/pskill9/website-downloader/issues/7 |
|---|
| User | BruceJqs (UID 97404) |
|---|
| Submission | 04/17/2026 06:27 (3 months ago) |
|---|
| Moderation | 05/01/2026 18:24 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 360754 [pskill9 website-downloader up to 0.1.0 MCP Interface src/index.ts download_website outputPath os command injection] |
|---|
| Points | 20 |
|---|