Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 2 npm packages depend on @puchunjie/doc-tools-mcp (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.0.18.
DescriptionCVE.org
A security flaw has been discovered in puchunjie doc-tools-mcp 1.0.18. This affects the function create_document/open_document of the file src/mcp-server.ts of the component MCP Interface. The manipulation of the argument filePath results in path traversal. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Path traversal in puchunjie doc-tools-mcp 1.0.18 MCP Interface allows authenticated remote attackers to access arbitrary files on the system via manipulation of the filePath argument in create_document and open_document functions. The vulnerability has a low CVSS score (2.1) due to authentication requirements and limited confidentiality impact, but publicly available exploit code exists. The vendor has not responded to the early disclosure.
Technical ContextAI
The vulnerability exists in the MCP (Model Context Protocol) server interface implemented in src/mcp-server.ts. The create_document and open_document functions fail to properly validate or sanitize the filePath parameter before using it in file operations, allowing path traversal sequences (such as '../') to be used to navigate outside intended directory boundaries. This is a classic CWE-22 path traversal flaw where user-supplied input is passed directly to file system operations without adequate validation. The MCP server architecture exposes these functions as remote-callable endpoints, making the vulnerability remotely accessible.
RemediationAI
No vendor-released patch identified at time of analysis-the project maintainer has not responded to the early disclosure. Immediate compensating controls are required: (1) Restrict network access to the MCP server to trusted networks only using firewall rules or network segmentation; (2) Implement strict input validation in the MCP server configuration to reject filePath arguments containing path traversal sequences ('../', '..\', absolute paths, or symbolic links) before processing; (3) Run the MCP server with minimal filesystem permissions-confine the process to a dedicated user account with read-only or read-write access limited to a specific document directory, preventing traversal outside that directory even if validation fails; (4) Monitor file access logs for suspicious patterns (repeated 401/403 errors, traversal attempts) and alert on any create_document/open_document calls with suspicious filePath values. If the product cannot be hardened, consider replacing it with an alternative MCP implementation or removing MCP functionality until a patch is released. Track https://github.com/puchunjie/doc-tools-mcp/issues/4 and https://vuldb.com/vuln/360913 for vendor updates.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26919