CVE-2026-14702
LowCVSS 2.5Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
A vulnerability has been found in zcaceres markdownify-mcp up to version 1.1.0, involving insufficiently random values in the saveToTempFile function of src/Markdownify.ts. The attack requires local access and is difficult to exploit, but an exploit has been published.
Risk Assessment
The organization may face local attacks that could lead to predictable temporary file names and potential data integrity issues. Due to the high attack complexity, the risk is limited, but the exploit is publicly available.
Recommendation
Immediately update zcaceres markdownify-mcp to the latest version after the pull request with the fix is accepted. Until the patch is released, restrict local access to the system.
Original NVD description (English source)
A flaw has been found in zcaceres markdownify-mcp up to 1.1.0. This impacts the function saveToTempFile of the file src/Markdownify.ts of the component webpage-to-markdown/youtube-to-markdown/bing-search-to-markdown. This manipulation causes insufficiently random values. The attack is restricted to local execution. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.

