CVE-2026-35394
Mobile Next has Arbitrary Android Intent Execution via mobile_open_url
CVSS Score
8.3
EPSS Score
0.0%
EPSS Percentile
12th
Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. This vulnerability is fixed in 0.0.50.
| CWE | CWE-939 |
| Vendor | mobile-next |
| Product | mobile-mcp |
| Published | Apr 6, 2026 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for mobile-next mobile-mcp
Be the first to know when new high vulnerabilities affecting mobile-next mobile-mcp are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High
Affected Versions
mobile-next / mobile-mcp
< 0.0.50