Symlink Following Vulnerability in zcaceres markdownify-mcp Product
CVE-2026-14699

4.8MEDIUM

Key Information:

Vendor

Zcaceres

Vendor
CVE Published:
5 July 2026

What is CVE-2026-14699?

A vulnerability has been discovered in the zcaceres markdownify-mcp product, specifically within the assertPathAllowed function of src/Markdownify.ts, which can be exploited through local manipulation. This condition enables attackers to follow symbolic links, potentially leading to unauthorized access or exposure of sensitive data. A patch has been proposed and is pending acceptance to remediate this issue.

Affected Version(s)

markdownify-mcp 1.0

markdownify-mcp 1.1.0

References

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dem000000 (VulDB User)
VulDB CNA Team
.