Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was detected in pskill9 website-downloader up to 0.1.0. This affects the function download_website of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument outputPath results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
OS command injection in pskill9 website-downloader through 0.1.0 allows authenticated remote attackers to execute arbitrary system commands by manipulating the outputPath argument in the download_website function of the MCP Interface. Publicly available exploit code exists, though the low CVSS score (2.1) reflects required authentication and limited scope of impact; the vulnerability remains relevant for deployments where the MCP Interface is exposed to untrusted authenticated users.
Technical ContextAI
The vulnerability exists in the download_website function within src/index.ts of the MCP (Model Context Protocol) Interface component. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), where user-supplied input from the outputPath parameter is passed unsanitized to operating system command execution. The MCP Interface likely constructs shell commands using string concatenation or similar unsafe methods without properly escaping or validating the outputPath argument, allowing an attacker to inject arbitrary OS commands by embedding shell metacharacters or command chaining operators into the path.
RemediationAI
No vendor-released patch identified at time of analysis; the project maintainer has not responded to the early notification. Immediate mitigation requires input validation and sanitization of the outputPath parameter - implement strict allowlisting of permitted path characters (alphanumerics, hyphens, underscores, forward slashes only) and reject any input containing shell metacharacters (backticks, dollar signs, pipes, semicolons, parentheses, or ampersands). Alternatively, refactor the download_website function to use parameterized system calls or language-native APIs rather than shell command construction, which eliminates command injection vectors entirely. Until code-level fixes are deployed, restrict network access to the MCP Interface to trusted internal networks only, disable the interface if not actively required, and require stronger authentication (OAuth 2.0 or mutual TLS) instead of basic low-privilege credentials. Monitor process execution logs for unexpected child processes spawned by the website-downloader service. Users should track GitHub issue #7 (https://github.com/pskill9/website-downloader/issues/7) for vendor response or consider using alternative, actively maintained website-download libraries.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26796