CVE-2026-35394

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-35394

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-35394.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-35394

Aliases

GHSA-5qhv-x9j4-c3vm

Published

2026-04-06T20:52:25.170Z

Modified

2026-04-13T04:29:48.955052Z

Severity

8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H CVSS Calculator

Summary

Mobile Next has Arbitrary Android Intent Execution via mobile_open_url

Details

Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobileopenurl tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. This vulnerability is fixed in 0.0.50.

Database specific

{
    "cwe_ids": [
        "CWE-939"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35394.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/mobile-next/mobile-mcp

Affected ranges

Type

GIT

Repo

https://github.com/mobile-next/mobile-mcp

Events

Introduced

Fixed

5415d1706ef101e93098c50a6e825b19ec83c2f0

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.0.50"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*

0.0.11

0.0.12

0.0.14

0.0.15

0.0.16

0.0.17

0.0.18

0.0.20

0.0.21

0.0.22

0.0.23

0.0.24

0.0.25

0.0.26

0.0.27

0.0.28

0.0.29

0.0.30

0.0.31

0.0.32

0.0.33

0.0.34

0.0.35

0.0.36

0.0.40

0.0.41

0.0.42

0.0.44

0.0.45

0.0.46

0.0.47

0.0.48

0.0.49

0.0.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-35394.json"