CVE-2026-33989
- Source
- https://cve.org/CVERecord?id=CVE-2026-33989
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33989.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-33989
- Aliases
- Published
- 2026-03-27T22:03:01.801Z
- Modified
- 2026-03-31T02:47:56.906054Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVSS Calculator
- Summary
- @mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools
- Details
-
Mobile Next is an MCP server for mobile development and automation. Prior to version 0.0.49, the
@mobilenext/mobile-mcpserver contains a Path Traversal vulnerability in themobile_save_screenshotandmobile_start_screen_recordingtools. ThesaveToandoutputparameters were passed directly to filesystem operations without validation, allowing an attacker to write files outside the intended workspace. Version 0.0.49 fixes the issue. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33989.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-22", "CWE-73" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33989.json
- https://github.com/mobile-next/mobile-mcp/commit/f5e32295903128c1e71cf915ae6c0b76c7b0153b
- https://github.com/mobile-next/mobile-mcp/releases/tag/0.0.49
- https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-3p2m-h2v6-g9mx
- https://nvd.nist.gov/vuln/detail/CVE-2026-33989
Affected packages
Git / github.com/mobile-next/mobile-mcp
Affected versions
0.*
0.0.11
0.0.12
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.20
0.0.21
0.0.22
0.0.23
0.0.24
0.0.25
0.0.26
0.0.27
0.0.28
0.0.29
0.0.30
0.0.31
0.0.32
0.0.33
0.0.34
0.0.35
0.0.36
0.0.37
0.0.38
0.0.39
0.0.40
0.0.41
0.0.42
0.0.43
0.0.44
0.0.45
0.0.46
0.0.47
0.0.48
0.0.9
v0.*
v0.0.31-beta