CVE-2026-35394 — HIGH (8.3)

Q: How severe is CVE-2026-35394?

CVE-2026-35394 has been rated HIGH with a CVSS base score of 8.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-35394?

Check the references section above for vendor advisories and patch information. Affected products include: Mobilenexthq Mobile Mcp.

Vulnerability Description

Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. This vulnerability is fixed in 0.0.50.

CVSS Score

8.3

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Mobilenexthq	Mobile Mcp	< 0.0.50

Related Weaknesses (CWE)

CWE-939

References

https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vExploitMitigationPatch
https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vExploitMitigationPatch

FAQ

What is CVE-2026-35394?

CVE-2026-35394 is a vulnerability with a CVSS score of 8.3 (HIGH). Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any sc...

How severe is CVE-2026-35394?

CVE-2026-35394 has been rated HIGH with a CVSS base score of 8.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-35394?

Check the references section above for vendor advisories and patch information. Affected products include: Mobilenexthq Mobile Mcp.