Lucene search
+L

82 matches found

Nuclei
Nuclei
added 12 hours ago103 views

Appium Desktop Server - Remote Code Execution

OS Command Injection in GitHub repository appium/appium-desktop prior to v1.22.3-4. id: CVE-2023-2479 info: name: Appium Desktop Server - Remote Code Execution author: zn9988 severity: critical description: | OS Command Injection in GitHub repository appium/appium-desktop prior to v1.22.3-4...

9.8CVSS8.4AI score0.22014EPSS
Exploits2References5
NVD
NVD
added 5 days ago8 views

CVE-2026-58500

MCP Appium is an MCP server that provides AI assistants with tools to automate mobile app testing on Android and iOS. In versions prior to 1.85.10, the createLocatorGeneratorUI function interpolates attacker-controlled element attributes — text, content-desc, resource-id, and locator selector...

8.2CVSS0.00276EPSS
Exploits0References2
CVE
CVE
added 5 days ago12 views

CVE-2026-58500

CVE-2026-58500について、MCP Appium のcreateLocatorGeneratorUI が、バージョン1.85.10以前で、攻撃者が制御する要素属性(テキスト、content-desc、resource-id、ロケータ選択子)をHTMLテンプレートリテラルに直接埋め込み、HTML/JavaScript文脈のエスケープを行わないことが根本原因の未エスケープデータXSS を引き起こすコントリビューションです。被害者が対象アプリのUIをレンダリングすると、埋め込まれたスクリプトが実行され、window.parent.postMessageを介して任意のMCPツールの実行...

8.2CVSS6.2AI score0.00276EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-58500 MCP Appium: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)

MCP Appium is an MCP server that provides AI assistants with tools to automate mobile app testing on Android and iOS. In versions prior to 1.85.10, the createLocatorGeneratorUI function interpolates attacker-controlled element attributes — text, content-desc, resource-id, and locator selector...

8.2CVSS0.00276EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 5 days ago5 views

CVE-2026-58500

MCP Appium is an MCP server that provides AI assistants with tools to automate mobile app testing on Android and iOS. In versions prior to 1.85.10, the createLocatorGeneratorUI function interpolates attacker-controlled element attributes — text, content-desc, resource-id, and locator selector...

8.2CVSS6.2AI score0.00276EPSS
Exploits0References3Affected Software1
OSV
OSV
added 5 days ago5 views

CVE-2026-58500 MCP Appium: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)

MCP Appium is an MCP server that provides AI assistants with tools to automate mobile app testing on Android and iOS. In versions prior to 1.85.10, the createLocatorGeneratorUI function interpolates attacker-controlled element attributes — text, content-desc, resource-id, and locator selector...

8.2CVSS6.2AI score0.00276EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-57883

Name of the Vulnerable Software and Affected Versions MCP Appium versions prior to 1.85.10 Description The createLocatorGeneratorUI function fails to escape HTML or JavaScript context when interpolating element attributes—specifically text, content-desc, resource-id, and locator selector...

8.2CVSS6.2AI score0.00276EPSS
Exploits0References4
Snyk
Snyk
added 2026/07/08 10:37 p.m.9 views

Cross-site Scripting (XSS)

Overview @appium/base-driver is a Base driver class for Appium drivers Affected versions of this package are vulnerable to Cross-site Scripting XSS via compileLodashTemplate. An attacker can execute arbitrary JavaScript in the context of the server origin by injecting malicious input into the...

9.6CVSS6.2AI score0.0022EPSS
Exploits1References2
NVD
NVD
added 2026/07/08 9:16 p.m.7 views

CVE-2026-58192

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.joinstorageRoot, name and fs.rimraf witho...

8.6CVSS0.00345EPSS
Exploits0References4
NVD
NVD
added 2026/07/08 9:16 p.m.7 views

CVE-2026-58191

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner routes, and compileLodashTemplate...

6.5CVSS0.0022EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/07/08 8:57 p.m.34 views

CVE-2026-58191 Appium: Reflected XSS / arbitrary JS in @appium/base-driver /test/guinea-pig* routes

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner routes, and compileLodashTemplate...

6.5CVSS0.0022EPSS
Exploits1References1
CVE
CVE
added 2026/07/08 8:57 p.m.12 views

CVE-2026-58191

Appium base-driver before 10.7.0 unconditionally mounts /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner routes, and compileLodashTemplate reflects throwError, comments field, and User-Agent header into HTML without escaping. This enables reflected XSS and arbitrary ...

6.5CVSS6.1AI score0.0022EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/07/08 8:57 p.m.3 views

CVE-2026-58191 Appium: Reflected XSS / arbitrary JS in @appium/base-driver /test/guinea-pig* routes

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner routes, and compileLodashTemplate...

6.5CVSS6.2AI score0.0022EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/07/08 8:56 p.m.34 views

CVE-2026-58192 Appium: Unauthenticated arbitrary file/directory deletion in @appium/storage-plugin

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.joinstorageRoot, name and fs.rimraf witho...

8.6CVSS0.00345EPSS
Exploits0References4
CVE
CVE
added 2026/07/08 8:56 p.m.11 views

CVE-2026-58192

CVE-2026-58192 affects Appium’s storage-plugin: prior to 1.1.6, POST /storage/delete passes user-supplied name into path.join(storageRoot, name) and fs.rimraf() without sanitization, enabling an unauthenticated remote attacker to escape the storage root via ../ and delete arbitrary writable files...

8.6CVSS6.1AI score0.00345EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/08 12:0 a.m.12 views

PT-2026-56609

Name of the Vulnerable Software and Affected Versions Appium versions prior to 1.1.6 Description The Appium storage plugin contains a flaw where the handler for the 'POST /storage/delete' endpoint passes the user-supplied name variable directly into path.joinstorageRoot, name and the fs.rimraf...

8.6CVSS6.2AI score0.00345EPSS
Exploits0References9
Snyk
Snyk
added 2026/06/19 9:43 p.m.12 views

Cross-site Scripting (XSS)

Overview appium-mcp is an Intelligent MCP server providing AI assistants with powerful tools and resources for Appium mobile automation Affected versions of this package are vulnerable to Cross-site Scripting XSS via the createLocatorGeneratorUI function. An attacker can execute arbitrary...

8.2CVSS5.8AI score0.00276EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/04/22 8:23 p.m.9 views

@headspinio/appium-roku-driver (>=2.6.1 <=2.7.0), @natlibfi/passport-melinda-aleph (=3.0.3-alpha.1) +2 more potentially affected by CVE-2026-41673 via @xmldom/xmldom (=0.9.0)

@xmldom/xmldom NPM version =0.9.0 is affected by a known vulnerability. The following packages have a transitive dependency on @xmldom/xmldom and may be impacted: - @headspinio/appium-roku-driver =2.6.1, =3.0.0, =1.7.9-beta.3, =1.8.0-beta.2 Source cves: CVE-2026-41673 Source advisory:...

8.7CVSS5.8AI score0.00643EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/04/22 8:23 p.m.7 views

@headspinio/appium-roku-driver (>=2.6.1 <=2.7.0), @natlibfi/passport-melinda-aleph (=3.0.3-alpha.1) +2 more potentially affected by CVE-2026-41673 via @xmldom/xmldom (=0.9.0)

@xmldom/xmldom NPM version =0.9.0 is affected by a known vulnerability. The following packages have a transitive dependency on @xmldom/xmldom and may be impacted: - @headspinio/appium-roku-driver =2.6.1, =3.0.0, =1.7.9-beta.3, =1.8.0-beta.2 Source cves: CVE-2026-41673 Source advisory:...

8.7CVSS5.8AI score0.00643EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/04/22 8:19 p.m.10 views

@headspinio/appium-roku-driver (>=2.6.1 <=2.7.0), @natlibfi/passport-melinda-aleph (=3.0.3-alpha.1) +2 more potentially affected by CVE-2026-41674 via @xmldom/xmldom (=0.9.0)

@xmldom/xmldom NPM version =0.9.0 is affected by a known vulnerability. The following packages have a transitive dependency on @xmldom/xmldom and may be impacted: - @headspinio/appium-roku-driver =2.6.1, =3.0.0, =1.7.9-beta.3, =1.8.0-beta.2 Source cves: CVE-2026-41674 Source advisory:...

8.7CVSS5.8AI score0.00457EPSS
Exploits0
Rows per page
Query Builder