@mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url
- Severity:
- High
Description
The mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android’s intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access.
Recommendation
Update the @mobilenext/mobile-mcp package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.0.50
- Patched version(s): 0.0.50
References
Related Issues
- @mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools - CVE-2026-33989
- HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft - CVE-2026-46496
- Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click - CVE-2026-43941
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
You might also like:
- Tags:
- npm
- @mobilenext/mobile-mcp
Anything's wrong? Let us know Last updated on April 06, 2026