CVE-2026-35394 - Vulnerability Analysis
HighCVSS: 8.3Last Updated: April 6, 2026
Mobile Next mobile-mcp - Command Injection
Published: April 6, 2026Updated: April 6, 2026Remote Exploitable
Overview
Mobile Next mobile-mcp < 0.0.50 contains a command injection caused by lack of scheme validation in mobile_open_url tool passing user-supplied URLs to Android's intent system, letting attackers execute arbitrary Android intents, exploit requires crafted URL input.
Severity & Score
Severity: High
CVSS Score: 8.3
Impact
Attackers can execute arbitrary Android intents, including USSD codes, phone calls, SMS, and content provider access, potentially leading to unauthorized actions on the device.
Mitigation
Update to version 0.0.50 or later.
Related Resources
Details
- CVE ID
- CVE-2026-35394
- Severity
- High
- CVSS Score
- 8.3
- Type
- command_injection
- Status
- new
CWE
- CWE-939
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H