CVE-2026-33989

HIGH8.1/ 10.0
Share:
Published: March 27, 2026 at 10:16 PM
Modified: March 31, 2026 at 09:52 PM
Source: security-advisories@github.com

Vulnerability Description

Mobile Next is an MCP server for mobile development and automation. Prior to version 0.0.49, the `@mobilenext/mobile-mcp` server contains a Path Traversal vulnerability in the `mobile_save_screenshot` and `mobile_start_screen_recording` tools. The `saveTo` and `output` parameters were passed directly to filesystem operations without validation, allowing an attacker to write files outside the intended workspace. Version 0.0.49 fixes the issue.

CVSS Metrics

Base Score
8.1
Severity
HIGH
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Weaknesses (CWE)

CWE-22
CWE-73
Source: security-advisories@github.com

References & Intelligence

https://github.com/mobile-next/mobile-mcp/commit/f5e32295903128c1e71cf915ae6c0b76c7b0153b
Source: security-advisories@github.com
Patch
https://github.com/mobile-next/mobile-mcp/releases/tag/0.0.49
Source: security-advisories@github.com
Release Notes
https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-3p2m-h2v6-g9mx
Source: security-advisories@github.com
ExploitVendor Advisory

Related Resources

Browse CVE Database
Search 294,000+ vulnerabilities
CVEs from 2026
View all vulnerabilities this year
CWE Database
Explore weakness categories
Security Writeups
Learn from real-world examples
About 4nuxd
Cybersecurity research & tools
Homepage
Explore more security resources