ByteOS Network

mobilenexthq

Source -

NVD

BOS Name -

N/A

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-35394

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-8.3||HIGH

EPSS-0.05% / 15.62%

7 Day CHG~0.00%

Published-06 Apr, 2026 | 20:52

Updated-09 Apr, 2026 | 17:49

Mobile Next has Arbitrary Android Intent Execution via mobile_open_url

Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. This vulnerability is fixed in 0.0.50.

Vendor-mobilenexthq mobile-next

Product-mobile_mcp mobile-mcp

CWE ID-CWE-939

Improper Authorization in Handler for Custom URL Scheme

CVE-2026-33989

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-8.1||HIGH

EPSS-0.04% / 10.38%

7 Day CHG~0.00%

Published-27 Mar, 2026 | 22:03

Updated-31 Mar, 2026 | 21:52

@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools

Mobile Next is an MCP server for mobile development and automation. Prior to version 0.0.49, the `@mobilenext/mobile-mcp` server contains a Path Traversal vulnerability in the `mobile_save_screenshot` and `mobile_start_screen_recording` tools. The `saveTo` and `output` parameters were passed directly to filesystem operations without validation, allowing an attacker to write files outside the intended workspace. Version 0.0.49 fixes the issue.

Vendor-mobilenexthq mobile-next

Product-mobile_mcp mobile-mcp

CWE ID-CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE ID-CWE-73

External Control of File Name or Path