GHSA-wfr3-hf93-qgg3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wfr3-hf93-qgg3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wfr3-hf93-qgg3/GHSA-wfr3-hf93-qgg3.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wfr3-hf93-qgg3
- Aliases
-
- CVE-2026-7159
- Published
- 2026-04-28T00:31:40Z
- Modified
- 2026-05-06T19:21:44.858570Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- mkdocs-mcp-plugin has a Path Traversal issue
- Details
-
A vulnerability was found in douinc mkdocs-mcp-plugin up to 0.4.1. This affects the function readdocument/listdocuments of the file server.py. Performing a manipulation of the argument docsdir/filepath results in path traversal. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor confirms, that the "fix will be published within a few days."
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "cwe_ids": [ "CWE-22" ], "github_reviewed_at": "2026-05-06T19:02:37Z", "nvd_published_at": "2026-04-27T22:16:18Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2026-7159
- https://github.com/douinc/mkdocs-mcp-plugin/issues/6
- https://github.com/douinc/mkdocs-mcp-plugin/issues/6#issuecomment-4223718119
- https://github.com/douinc/mkdocs-mcp-plugin
- https://vuldb.com/submit/802063
- https://vuldb.com/vuln/359758
- https://vuldb.com/vuln/359758/cti
Affected packages
PyPI / mkdocs-mcp-plugin
Package
- Name
- mkdocs-mcp-plugin
- View open source insights on deps.dev
- Purl
- pkg:pypi/mkdocs-mcp-plugin