Vulnerability  ·  2026-07-06

markdownify-mcp — Insufficiently Random Temp File Names in saveToTempFile

VulnerabilityLow impactGlobalCVE-2026-14702
CVE-2026-14702 (CVSS 2.5 Low, published 2026-07-05) affects the temp-file-naming scheme in markdownify-mcp's content-conversion tools.
Narrow, local-only blast radius on a single MCP conversion tool package — kept as a precise catalogued CVE per tiering guidance.
saveToTempFile uses insufficiently random values when generating temporary file names, restricted to local attack vector, enabling prediction/collision of temp files used by MCP conversion tools.
zcaceres markdownify-mcp ≤ 1.1.0 (src/Markdownify.ts, webpage/youtube/bing-search-to-markdown tools)
No fix confirmed at disclosure; use cryptographically random temp filenames as a workaround/patch.
NVD CVE-2026-14702
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →