Publish Advisories

GHSA-5qhv-x9j4-c3vm
GHSA-prmx-7v35-7q82

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-5qhv-x9j4-c3vm/GHSA-5qhv-x9j4-c3vm.json

@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5qhv-x9j4-c3vm",
+  "modified": "2026-04-04T05:37:10Z",
+  "published": "2026-04-04T05:37:10Z",
+  "aliases": [
+    "CVE-2026-35394"
+  ],
+  "summary": "@mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url",
+  "details": "### Summary\n\nThe `mobile_open_url` tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access.\n\n### Details\n\nThe vulnerable code passes URLs directly to `adb shell am start -a android.intent.action.VIEW -d <url>` without checking the URL scheme. This can enable malicious schemes such as `tel:`, `sms:`, `mailto:`, `content://`, and `market://` to be executed.\n\nSince MCP servers are designed to be operated by AI agents, which are vulnerable to prompt injection attacks, a malicious document or website could inject instructions that cause the AI to execute dangerous intents on a connected mobile device.\n\n### Impact\n\nAn attacker via prompt injection can:\n- Execute USSD codes (e.g., `tel:*#06#` to display IMEI - confirmed on Pixel 7a, behavior varies by device; or device-specific factory reset codes)\n- Initiate phone calls to premium rate numbers\n- Draft SMS messages with attacker-controlled content\n- Access content providers (contacts, SMS, call logs)\n- Open app installation prompts\n\n### Proof of Concept\n```json\n{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/call\",\"params\":{\"name\":\"mobile_open_url\",\"arguments\":{\"device\":\"<id>\",\"url\":\"tel:*#06#\"}}}\n```\n\nResult: IMEI displayed on device.\n```json\n{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/call\",\"params\":{\"name\":\"mobile_open_url\",\"arguments\":{\"device\":\"<id>\",\"url\":\"sms:1234567890?body=HACKED\"}}}\n```\n\nResult: SMS app opens with a pre-filled message.\n\n### Remediation\n\nUpgrade to version 0.0.50 or later, which restricts `mobile_open_url` to `http://` and `https://` schemes by default. Users who require other URL schemes can opt in by setting `MOBILEMCP_ALLOW_UNSAFE_URLS=1`.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@mobilenext/mobile-mcp"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.50"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mobile-next/mobile-mcp/pull/299"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mobile-next/mobile-mcp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mobile-next/mobile-mcp/releases/tag/0.0.50"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-939"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T05:37:10Z",
+    "nvd_published_at": null
+  }
+}

…-prmx-7v35-7q82/GHSA-prmx-7v35-7q82.json …-prmx-7v35-7q82/GHSA-prmx-7v35-7q82.jsonadvisories/unreviewed/2026/04/GHSA-prmx-7v35-7q82/GHSA-prmx-7v35-7q82.json renamed to advisories/github-reviewed/2026/04/GHSA-prmx-7v35-7q82/GHSA-prmx-7v35-7q82.json advisories/unreviewed/2026/04/GHSA-prmx-7v35-7q82/GHSA-prmx-7v35-7q82.json renamed to advisories/github-reviewed/2026/04/GHSA-prmx-7v35-7q82/GHSA-prmx-7v35-7q82.json

@@ -1,23 +1,44 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-prmx-7v35-7q82",
-  "modified": "2026-04-02T09:30:24Z",
+  "modified": "2026-04-04T05:35:52Z",
   "published": "2026-04-02T09:30:24Z",
   "aliases": [
     "CVE-2026-5323"
   ],
-  "details": "A vulnerability was found in priyankark a11y-mcp up to 1.0.5. This vulnerability affects the function A11yServer of the file src/index.js. The manipulation results in server-side request forgery. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. Upgrading to version 1.0.6 is able to resolve this issue. The patch is identified as e3e11c9e8482bd06b82fd9fced67be4856f0dffc. It is recommended to upgrade the affected component. The vendor acknowledged the issue but provides additional context for the CVSS rating: \"a11y-mcp is a local stdio MCP server - it has no HTTP endpoint and is not network-accessible. The caller is always the local user or an LLM acting on their behalf with user approval.\"",
+  "summary": "a11y-mcp: Server-Side Request Forgery (SSRF) vulnerability in A11yServer function",
+  "details": "A vulnerability was found in priyankark a11y-mcp up to 1.0.5. This vulnerability affects the function A11yServer of the file src/index.js. The manipulation results in server-side request forgery. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. \n\nUpgrading to version 1.0.6 is able to resolve this issue. The patch is identified as e3e11c9e8482bd06b82fd9fced67be4856f0dffc. It is recommended to upgrade the affected component. The vendor acknowledged the issue but provides additional context for the CVSS rating: \"a11y-mcp is a local stdio MCP server - it has no HTTP endpoint and is not network-accessible. The caller is always the local user or an LLM acting on their behalf with user approval.\"",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "a11y-mcp"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.0.5"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -32,7 +53,7 @@
       "url": "https://github.com/priyankark/a11y-mcp/commit/e3e11c9e8482bd06b82fd9fced67be4856f0dffc"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/priyankark/a11y-mcp"
     },
     {
@@ -52,9 +73,9 @@
     "cwe_ids": [
       "CWE-918"
     ],
-    "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T05:35:52Z",
     "nvd_published_at": "2026-04-02T07:15:58Z"
   }
 }