CVE-2026-7599

MEDIUM 6.3

Dayoooun hwpx-mcp MCP index.ts export_to_html path traversal

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability was detected in Dayoooun hwpx-mcp 0.2.0. This affects the function save_document/export_to_text/export_to_html of the file mcp-server/src/index.ts of the component MCP Interface. Performing a manipulation of the argument output_path results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE	CWE-22
Vendor	dayoooun
Product	hwpx-mcp
Published	May 1, 2026

Stay Ahead of the Next One

Get instant alerts for dayoooun hwpx-mcp

Be the first to know when new medium vulnerabilities affecting dayoooun hwpx-mcp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Dayoooun / hwpx-mcp

0.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/360556 vuldb.com: https://vuldb.com/vuln/360556/cti vuldb.com: https://vuldb.com/submit/805608 github.com: https://github.com/Dayoooun/hwpx-mcp/issues/3 github.com: https://github.com/BruceJqs/public_exp/issues/28 github.com: https://github.com/Dayoooun/hwpx-mcp/

Credits

🔍 _Eternity_ (VulDB User) VulDB CNA Team