PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9472 dazeb CVE debrief

A path traversal vulnerability exists in the dazeb markdown-downloader project, affecting functions in src/index.ts including download_markdown, list_downloaded_files, and create_subdirectory. The vulnerability allows remote attackers to manipulate file paths, potentially leading to unauthorized file access or modification outside intended directories. The project does not use formal versioning, making affected release identification difficult. The issue was reported to the project via GitHub issue 12 prior to CVE publication, but no response has been received as of the CVE modification date. The vulnerability has been publicly disclosed with exploit availability noted.

Vendor
dazeb
Product
markdown-downloader
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Organizations using dazeb markdown-downloader for automated markdown file processing, particularly in multi-user or internet-facing deployments where file path inputs may be attacker-controlled.

Technical summary

The vulnerability resides in src/index.ts within multiple file handling functions. Path traversal occurs when user input is used to construct file paths without adequate validation, allowing directory escape sequences (e.g., ../) to access files outside intended directories. The remote attack vector requires low privileges with no user interaction. Impact is limited per CVSS scoring but exploitation proof-of-concept is publicly available.

Defensive priority

LOW

Recommended defensive actions

  • Review and restrict file system access permissions for applications using markdown-downloader
  • Implement path validation and sanitization for all user-supplied file paths
  • Consider using chroot jails or containerized environments to limit filesystem exposure
  • Monitor for unauthorized file access attempts in application logs
  • Evaluate alternative markdown download utilities with active maintenance if vendor unresponsive

Evidence notes

Vulnerability identified in commit 3d4394b34b6c99d81af817623af55e3384df5a6a and earlier. CWE-22 (Path Traversal) assigned by VulDB. CVSS 4.0 vector indicates network attack vector with low privileges required and low impact to confidentiality, integrity, and availability. Exploit existence marked as 'P' (Proof-of-concept) in CVSS vector.

Official resources

2026-05-25