CVE-2026-7642
Deferred Deferred - Pending Action
Command Injection in pskill9 website-downloader

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: VulDB

Description
A vulnerability was detected in pskill9 website-downloader up to 0.1.0. This affects the function download_website of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument outputPath results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7642
EUVD
EUVD-2026-26796
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pskill9 website-downloader to 0.1.0 (inc)
pskill9 website_downloader to 0.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7642 is a command injection vulnerability in the pskill9 website-downloader tool, specifically in the download_website function of the MCP Interface component. The vulnerability occurs because the tool constructs a wget command by directly concatenating user-supplied arguments, including outputPath, into a shell command string executed via child_process.exec without proper escaping or argument separation.

An attacker with network access to the MCP interface can inject shell metacharacters (such as ; or &&) into the outputPath parameter, allowing execution of arbitrary operating system commands with the privileges of the server process. This can lead to full host compromise.

Impact Analysis

This vulnerability can have severe impacts including full host compromise. An attacker can execute arbitrary OS commands on the server hosting the website-downloader tool, which may result in data exposure, loss of data integrity, and disruption of services.

  • Data exposure due to unauthorized command execution.
  • Integrity loss by modifying or deleting data.
  • Service disruption caused by executing malicious commands.
Detection Guidance

This vulnerability can be detected by monitoring for suspicious usage of the download_website tool, especially requests that include shell metacharacters in the outputPath parameter.

A proof of concept involves sending a request with a malicious outputPath containing shell metacharacters such as "; id #" which executes arbitrary OS commands.

To detect exploitation attempts, you can look for unusual command executions or network requests invoking the download_website tool with suspicious parameters.

  • Check logs for commands or requests containing shell metacharacters like ;, &&, or backticks in the outputPath argument.
  • Use network monitoring tools to detect requests to the MCP interface that include suspicious outputPath values.
  • If you have access to the server, monitor process executions for wget commands constructed with unescaped user input.
  • Example command to search logs for suspicious outputPath usage: grep -E 'outputPath=.*[;&`]' /var/log/your_application.log
Mitigation Strategies

Immediate mitigation steps include restricting access to the download_website tool to trusted users or networks.

Reject or sanitize any shell metacharacters in the outputPath parameter to prevent command injection.

Run the server process with the lowest possible privileges to limit the impact of a potential exploit.

Avoid using child_process.exec for command execution; instead, use safer alternatives like child_process.execFile or spawn that do not invoke a shell.

Validate all inputs rigorously and add regression tests to detect injection attempts.

Compliance Impact

This vulnerability allows an attacker to execute arbitrary OS commands on the server hosting the website-downloader tool, potentially leading to full host compromise.

Such a compromise can result in unauthorized data exposure, loss of data integrity, and service disruption.

These impacts can negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of data confidentiality, integrity, and availability.

Specifically, unauthorized data exposure could violate data privacy requirements, while integrity loss and service disruption could breach operational and security controls mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7642. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart