3 matches found
CVE-2026-55592
Dashy prior to version 4.3.7 is affected by an XSS related to the workspace URL parameter in the iframe src, where the URL is used without scheme validation. A crafted workspace link with a javascript: URL can execute code in the Dashy origin, allowing access to same-origin data, interaction with...
CVE-2026-35394 Mobile Next has Arbitrary Android Intent Execution via mobile_open_url
Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobileopenurl tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls...
GHSA-PR45-CG4X-FF4M ggit is vulnerable to Arbitrary Argument Injection via the clone() API
All versions of the package ggit are vulnerable to Arbitrary Argument Injection via the clone API, which allows specifying the remote URL to clone and the file on disk to clone to. The library does not sanitize for user input or validate a given URL scheme, nor does it properly pass command-line...