2 matches found
CVE-2026-35394 Mobile Next has Arbitrary Android Intent Execution via mobile_open_url
Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobileopenurl tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls...
PT-2026-28584
Name of the Vulnerable Software and Affected Versions @mobilenext/mobile-mcp versions prior to 0.0.49 Description The @mobilenext/mobile-mcp server contains a Path Traversal vulnerability in the mobile save screenshot and mobile start screen recording tools. The saveTo and output parameters are...