Path Traversal Vulnerability in douinc mkdocs-mcp-plugin Software
CVE-2026-7159

6.9MEDIUM

Key Information:

Vendor: Douinc
Status: Mkdocs-mcp-plugin
Vendor: CVE Published:; 27 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-7159?

A path traversal vulnerability has been identified in the douinc mkdocs-mcp-plugin version 0.4.1. This issue allows attackers to manipulate inputs intended for the read_document and list_documents functions within the server.py file. An attacker could potentially trick the affected function into accessing unintended files by exploiting the argument handling for docs_dir and file_path. Given that this vulnerability is remotely exploitable, it poses a significant risk. The vendor has acknowledged the issue and is expected to release a fix shortly.

Affected Version(s)

mkdocs-mcp-plugin 0.4.0

mkdocs-mcp-plugin 0.4.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-7159 - Proof of Concept

References

https://vuldb.com/vuln/359758

vdb-entrytechnical-description

https://vuldb.com/vuln/359758/cti

signaturepermissions-required

https://vuldb.com/submit/802063

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 27, 2026
👾
Exploit known to exist
Apr 27, 2026
Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 26, 2026

Credit

SmallW (VulDB User)

VulDB CNA Team

CVE-2026-7159 Data

JSON

Douinc