CVE-2026-7642: OS Command Injection in pskill9 website-downloader
A vulnerability was detected in pskill9 website-downloader up to 0.1.0. This affects the function download_website of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument outputPath results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AI Analysis
Technical Summary
The pskill9 website-downloader up to version 0.1.0 contains an OS command injection vulnerability in the download_website function of the MCP Interface component. Specifically, improper handling of the outputPath argument allows an attacker to inject arbitrary OS commands. This vulnerability is remotely exploitable without requiring user interaction and has a CVSS 4.0 score of 5.3 (medium severity). The project has been informed but has not issued a fix or mitigation guidance as of the published date.
Potential Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary OS commands on the system running the vulnerable website-downloader software. This could lead to unauthorized system access or control depending on the privileges of the application process. The vulnerability is remotely exploitable and does not require user interaction, increasing the risk of automated attacks. However, no known exploits in the wild have been reported so far.
Mitigation Recommendations
No official fix or patch is currently available from the vendor or project. Users should monitor the project repository or advisories for updates. Until a patch is released, avoid using the affected version (0.1.0) in untrusted environments or restrict access to the application to trusted users only. Consider applying manual input validation or sandboxing measures if feasible. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-7642: OS Command Injection in pskill9 website-downloader
Description
A vulnerability was detected in pskill9 website-downloader up to 0.1.0. This affects the function download_website of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument outputPath results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS v4.0
Score 5.3medium
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The pskill9 website-downloader up to version 0.1.0 contains an OS command injection vulnerability in the download_website function of the MCP Interface component. Specifically, improper handling of the outputPath argument allows an attacker to inject arbitrary OS commands. This vulnerability is remotely exploitable without requiring user interaction and has a CVSS 4.0 score of 5.3 (medium severity). The project has been informed but has not issued a fix or mitigation guidance as of the published date.
Potential Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary OS commands on the system running the vulnerable website-downloader software. This could lead to unauthorized system access or control depending on the privileges of the application process. The vulnerability is remotely exploitable and does not require user interaction, increasing the risk of automated attacks. However, no known exploits in the wild have been reported so far.
Mitigation Recommendations
No official fix or patch is currently available from the vendor or project. Users should monitor the project repository or advisories for updates. Until a patch is released, avoid using the affected version (0.1.0) in untrusted environments or restrict access to the application to trusted users only. Consider applying manual input validation or sandboxing measures if feasible. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-01T16:24:48.471Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f60f6bcbff5d8610edce3d
Added to database: 5/2/2026, 2:51:23 PM
Last enriched: 5/10/2026, 2:06:30 AM
Last updated: 6/16/2026, 4:19:39 AM
Views: 91
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.