Symlink Following Vulnerability in zcaceres markdownify-mcp Product
CVE-2026-14699
4.8MEDIUM
What is CVE-2026-14699?
A vulnerability has been discovered in the zcaceres markdownify-mcp product, specifically within the assertPathAllowed function of src/Markdownify.ts, which can be exploited through local manipulation. This condition enables attackers to follow symbolic links, potentially leading to unauthorized access or exposure of sensitive data. A patch has been proposed and is pending acceptance to remediate this issue.
Affected Version(s)
markdownify-mcp 1.0
markdownify-mcp 1.1.0
