Improper Authorization in Handler for Custom URL Scheme

Overview @mobilenext/mobile-mcp is a Mobile MCP Affected versions of this package are vulnerable to Improper Authorization in Handler for Custom URL Scheme via the mobileopenurl function. An attacker can execute arbitrary Android intents, such as initiating phone calls, sending SMS messages,...

@waigenie/mobile-mcp (=0.0.16) potentially affected by CVE-2026-35394 via @mobilenext/mobile-mcp (=0.0.12)

@mobilenext/mobile-mcp NPM version =0.0.12 is affected by a known vulnerability. The following packages have a transitive dependency on @mobilenext/mobile-mcp and may be impacted: - @waigenie/mobile-mcp =0.0.16 Source cves: CVE-2026-35394 Source advisory: OSV:GHSA-5QHV-X9J4-C3VM...

@waigenie/mobile-mcp (=0.0.16) potentially affected by CVE-2026-35394 via @mobilenext/mobile-mcp (=0.0.12)

@mobilenext/mobile-mcp NPM version =0.0.12 is affected by a known vulnerability. The following packages have a transitive dependency on @mobilenext/mobile-mcp and may be impacted: - @waigenie/mobile-mcp =0.0.16 Source cves: CVE-2026-35394 Source advisory: SNYK:JS-MOBILENEXTMOBILEMCP-15918166...

PT-2026-30323

Summary The mobile open url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. Details The vulnerable code...

CVE-2026-33989 @mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools

Mobile Next is an MCP server for mobile development and automation. Prior to version 0.0.49, the @mobilenext/mobile-mcp server contains a Path Traversal vulnerability in the mobilesavescreenshot and mobilestartscreenrecording tools. The saveTo and output parameters were passed directly to...

CVE-2026-33989 @mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools

Mobile Next is an MCP server for mobile development and automation. Prior to version 0.0.49, the @mobilenext/mobile-mcp server contains a Path Traversal vulnerability in the mobilesavescreenshot and mobilestartscreenrecording tools. The saveTo and output parameters were passed directly to...

Directory Traversal

Overview @mobilenext/mobile-mcp is a Mobile MCP Affected versions of this package are vulnerable to Directory Traversal via the saveTo and output parameters in the mobilesavescreenshot and mobilestartscreenrecording tools. An attacker can overwrite arbitrary files on the host system by supplying...

@waigenie/mobile-mcp (=0.0.16) potentially affected by CVE-2026-33989 via @mobilenext/mobile-mcp (=0.0.12)

@mobilenext/mobile-mcp NPM version =0.0.12 is affected by a known vulnerability. The following packages have a transitive dependency on @mobilenext/mobile-mcp and may be impacted: - @waigenie/mobile-mcp =0.0.16 Source cves: CVE-2026-33989 Source advisory: SNYK:JS-MOBILENEXTMOBILEMCP-15874414...

@waigenie/mobile-mcp (=0.0.16) potentially affected by CVE-2026-33989 via @mobilenext/mobile-mcp (=0.0.12)

@mobilenext/mobile-mcp NPM version =0.0.12 is affected by a known vulnerability. The following packages have a transitive dependency on @mobilenext/mobile-mcp and may be impacted: - @waigenie/mobile-mcp =0.0.16 Source cves: CVE-2026-33989 Source advisory: OSV:GHSA-3P2M-H2V6-G9MX...

GHSA-3P2M-H2V6-G9MX @mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools

Summary The @mobilenext/mobile-mcp server contains a Path Traversal vulnerability in the mobilesavescreenshot and mobilestartscreenrecording tools. The saveTo and output parameters were passed directly to filesystem operations without validation, allowing an attacker to write files outside the...