CVE-2026-7599: Path Traversal in Dayoooun hwpx-mcp
CVE-2026-7599 is a path traversal vulnerability in Dayoooun hwpx-mcp version 0. 2. 0 affecting the MCP Interface component. Specifically, the functions save_document, export_to_text, and export_to_html in the mcp-server/src/index. ts file improperly handle the output_path argument, allowing an attacker to manipulate file paths. This vulnerability can be exploited remotely without user interaction and has a medium severity rating. The vulnerability is publicly known and the exploit code is available. The vendor has been informed but has not yet responded or provided a patch.
AI Analysis
Technical Summary
Dayoooun hwpx-mcp 0.2.0 contains a path traversal vulnerability in the MCP Interface component's save_document, export_to_text, and export_to_html functions within mcp-server/src/index.ts. Manipulating the output_path argument enables an attacker to traverse directories and potentially write files outside intended locations. Remote exploitation is possible without user interaction. The vulnerability has a CVSS 4.0 score of 5.3 (medium severity). The vendor has not issued a patch or official remediation as of the published date.
Potential Impact
Successful exploitation allows an attacker with low privileges to perform path traversal via the output_path argument, potentially leading to unauthorized file writes or overwrites outside the intended directory. This could compromise system integrity or availability depending on the files affected. The vulnerability is remotely exploitable without user interaction, increasing risk. However, the impact is rated medium due to limited scope and required privileges.
Mitigation Recommendations
No official patch or remediation is currently available from the vendor. Since the vendor has not responded or provided a fix, users should consider implementing manual input validation or sanitization of the output_path argument to prevent path traversal. Monitor vendor advisories for updates and apply official patches promptly once released. Avoid exposing the vulnerable service to untrusted networks until remediation is available.
CVE-2026-7599: Path Traversal in Dayoooun hwpx-mcp
Description
CVE-2026-7599 is a path traversal vulnerability in Dayoooun hwpx-mcp version 0. 2. 0 affecting the MCP Interface component. Specifically, the functions save_document, export_to_text, and export_to_html in the mcp-server/src/index. ts file improperly handle the output_path argument, allowing an attacker to manipulate file paths. This vulnerability can be exploited remotely without user interaction and has a medium severity rating. The vulnerability is publicly known and the exploit code is available. The vendor has been informed but has not yet responded or provided a patch.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Dayoooun hwpx-mcp 0.2.0 contains a path traversal vulnerability in the MCP Interface component's save_document, export_to_text, and export_to_html functions within mcp-server/src/index.ts. Manipulating the output_path argument enables an attacker to traverse directories and potentially write files outside intended locations. Remote exploitation is possible without user interaction. The vulnerability has a CVSS 4.0 score of 5.3 (medium severity). The vendor has not issued a patch or official remediation as of the published date.
Potential Impact
Successful exploitation allows an attacker with low privileges to perform path traversal via the output_path argument, potentially leading to unauthorized file writes or overwrites outside the intended directory. This could compromise system integrity or availability depending on the files affected. The vulnerability is remotely exploitable without user interaction, increasing risk. However, the impact is rated medium due to limited scope and required privileges.
Mitigation Recommendations
No official patch or remediation is currently available from the vendor. Since the vendor has not responded or provided a fix, users should consider implementing manual input validation or sanitization of the output_path argument to prevent path traversal. Monitor vendor advisories for updates and apply official patches promptly once released. Avoid exposing the vulnerable service to untrusted networks until remediation is available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-01T10:47:05.673Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f523decbff5d861069ef75
Added to database: 5/1/2026, 10:06:22 PM
Last enriched: 5/1/2026, 10:21:21 PM
Last updated: 5/1/2026, 11:13:28 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.