CVE-2026-33989
@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools
Mobile Next is an MCP server for mobile development and automation. Prior to version 0.0.49, the `@mobilenext/mobile-mcp` server contains a Path Traversal vulnerability in the `mobile_save_screenshot` and `mobile_start_screen_recording` tools. The `saveTo` and `output` parameters were passed directly to filesystem operations without validation, allowing an attacker to write files outside the intended workspace. Version 0.0.49 fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Productos afectados
mobile-next · mobile-mcp¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →