CVE-2026-7642

Name of the Vulnerable Software and Affected Versions pskill9 website-downloader versions prior to 0.1.1

Description An OS command injection issue exists in the MCP Interface component within the download website() function of the src/index.ts file. A remote attacker can trigger this by manipulating the outputPath argument. OS command injection is a flaw that allows an attacker to execute arbitrary operating system commands on the server.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict the use of the outputPath argument in the download website() function to minimize the risk of exploitation.