What happened
CVE-2026-14702 (CVSS 2.5 Low, published 2026-07-05) affects the temp-file-naming scheme in markdownify-mcp's content-conversion tools.
Why it matters
Narrow, local-only blast radius on a single MCP conversion tool package — kept as a precise catalogued CVE per tiering guidance.
Attack vector
saveToTempFile uses insufficiently random values when generating temporary file names, restricted to local attack vector, enabling prediction/collision of temp files used by MCP conversion tools.
Affected systems
zcaceres markdownify-mcp ≤ 1.1.0 (src/Markdownify.ts, webpage/youtube/bing-search-to-markdown tools)
Mitigation
No fix confirmed at disclosure; use cryptographically random temp filenames as a workaround/patch.