CVE-2026-35394

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H                                    

Vulnerability Description

Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. This vulnerability is fixed in 0.0.50.

Vulnerability Details

Published Date

April 04, 2026

Last Modified

April 09, 2026

CWE ID

CWE-939

Source

GitHub

Vendor

npm

Product

@mobilenext/mobile-mcp

External References

https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm
https://github.com/mobile-next/mobile-mcp/pull/299
https://github.com/mobile-next/mobile-mcp/releases/tag/0.0.50
https://github.com/advisories/GHSA-5qhv-x9j4-c3vm

CVE-2026-35394

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment