CVE-2026-35394

Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobileopenurl tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls...

CVE-2026-35394

Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobileopenurl tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls...

@mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url

Summary The mobileopenurl tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. Details The vulnerable code pass...

GHSA-5QHV-X9J4-C3VM @mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url

Summary The mobileopenurl tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. Details The vulnerable code pass...

PT-2026-30323

Summary The mobile open url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. Details The vulnerable code...

EUVD-2022-27901

Malicious code in bioql PyPI...

CVE-2018-21078

An issue was discovered on Samsung mobile devices with M6.0, N7.x, and O8.0 software. The Contacts application allows attackers to originate video calls because SS Supplementary Service and USSD Unstructured Supplementary Service Data codes are improperly secured. The Samsung ID is SVE-2018-11469...

CVE-2022-22758

When clicking on a tel: link, USSD codes, specified after a \ character, would be included in the phone number. On certain phones, or on certain carriers, if the number was dialed this could perform actions on a user's account, similar to a cross-site request forgery attack.This bug only affects...

CVE-2022-22758

When clicking on a tel: link, USSD codes, specified after a \ character, would be included in the phone number. On certain phones, or on certain carriers, if the number was dialed this could perform actions on a user's account, similar to a cross-site request forgery attack.This bug only affects...

Cross site request forgery (csrf)

When clicking on a tel: link, USSD codes, specified after a \ character, would be included in the phone number. On certain phones, or on certain carriers, if the number was dialed this could perform actions on a user's account, similar to a cross-site request forgery attack.This bug only affects...

CVE-2022-22758

When clicking on a tel: link, USSD codes, specified after a \ character, would be included in the phone number. On certain phones, or on certain carriers, if the number was dialed this could perform actions on a user's account, similar to a cross-site request forgery attack.This bug only affects...

CVE-2022-22758

When clicking on a tel: link, USSD codes, specified after a \ character, would be included in the phone number. On certain phones, or on certain carriers, if the number was dialed this could perform actions on a user's account, similar to a cross-site request forgery attack.This bug only affects...

CVE-2022-22758

When clicking on a tel: link, USSD codes, specified after a \ character, would be included in the phone number. On certain phones, or on certain carriers, if the number was dialed this could perform actions on a user's account, similar to a cross-site request forgery attack.This bug only affects...

CVE-2022-22758

When clicking on a tel: link, USSD codes, specified after a \ character, would be included in the phone number. On certain phones, or on certain carriers, if the number was dialed this could perform actions on a user's account, similar to a cross-site request forgery attack.This bug only affects...

CVE-2022-22758

CVE-2022-22758 affects Mozilla Firefox (Android) and arises from incorrect handling of tel: links where USSD codes placed after a * character could be included in the dialed number, potentially enabling actions on a user’s account. The issue impacts Firefox versions prior to 97 (and related ESR l...

Mozilla Firefox < 97.0

The version of Firefox installed on the remote Windows host is prior to 97.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2022-04 advisory. - Mozilla developers Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96 and Firef...

CVE-2018-21078

An issue was discovered on Samsung mobile devices with M6.0, N7.x, and O8.0 software. The Contacts application allows attackers to originate video calls because SS Supplementary Service and USSD Unstructured Supplementary Service Data codes are improperly secured. The Samsung ID is SVE-2018-11469...

Design/Logic Flaw

An issue was discovered on Samsung mobile devices with M6.0, N7.x, and O8.0 software. The Contacts application allows attackers to originate video calls because SS Supplementary Service and USSD Unstructured Supplementary Service Data codes are improperly secured. The Samsung ID is SVE-2018-11469...

Android Exploited to Make, End Phone Calls; Send USSD Codes

A pair of vulnerabilities in all but the newest KitKat iteration of Google’s Android operating system could let a malicious or rogue application exceed its permission level in order to make phone calls, hang up phone calls, or send USSD or MMI codes. Marco Lux and Pedro Umbelino of Curesec claim...