CVE-2026-7642
Command Injection in pskill9 website-downloader
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pskill9 | website-downloader | to 0.1.0 (inc) |
| pskill9 | website_downloader | to 0.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7642 is a command injection vulnerability in the pskill9 website-downloader tool, specifically in the download_website function of the MCP Interface component. The vulnerability occurs because the tool constructs a wget command by directly concatenating user-supplied arguments, including outputPath, into a shell command string executed via child_process.exec without proper escaping or argument separation.
An attacker with network access to the MCP interface can inject shell metacharacters (such as ; or &&) into the outputPath parameter, allowing execution of arbitrary operating system commands with the privileges of the server process. This can lead to full host compromise.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full host compromise. An attacker can execute arbitrary OS commands on the server hosting the website-downloader tool, which may result in data exposure, loss of data integrity, and disruption of services.
- Data exposure due to unauthorized command execution.
- Integrity loss by modifying or deleting data.
- Service disruption caused by executing malicious commands.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious usage of the download_website tool, especially requests that include shell metacharacters in the outputPath parameter.
A proof of concept involves sending a request with a malicious outputPath containing shell metacharacters such as "; id #" which executes arbitrary OS commands.
To detect exploitation attempts, you can look for unusual command executions or network requests invoking the download_website tool with suspicious parameters.
- Check logs for commands or requests containing shell metacharacters like ;, &&, or backticks in the outputPath argument.
- Use network monitoring tools to detect requests to the MCP interface that include suspicious outputPath values.
- If you have access to the server, monitor process executions for wget commands constructed with unescaped user input.
- Example command to search logs for suspicious outputPath usage: grep -E 'outputPath=.*[;&`]' /var/log/your_application.log
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the download_website tool to trusted users or networks.
Reject or sanitize any shell metacharacters in the outputPath parameter to prevent command injection.
Run the server process with the lowest possible privileges to limit the impact of a potential exploit.
Avoid using child_process.exec for command execution; instead, use safer alternatives like child_process.execFile or spawn that do not invoke a shell.
Validate all inputs rigorously and add regression tests to detect injection attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute arbitrary OS commands on the server hosting the website-downloader tool, potentially leading to full host compromise.
Such a compromise can result in unauthorized data exposure, loss of data integrity, and service disruption.
These impacts can negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of data confidentiality, integrity, and availability.
Specifically, unauthorized data exposure could violate data privacy requirements, while integrity loss and service disruption could breach operational and security controls mandated by these regulations.