CVE-2026-33989: @mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools
(updated )
The @mobilenext/mobile-mcp server contains a Path Traversal vulnerability in the mobile_save_screenshot and mobile_start_screen_recording tools. The saveTo and output parameters were passed directly to filesystem operations without validation, allowing an attacker to write files outside the intended workspace.
References
- github.com/advisories/GHSA-3p2m-h2v6-g9mx
- github.com/mobile-next/mobile-mcp
- github.com/mobile-next/mobile-mcp/commit/f5e32295903128c1e71cf915ae6c0b76c7b0153b
- github.com/mobile-next/mobile-mcp/releases/tag/0.0.49
- github.com/mobile-next/mobile-mcp/security/advisories/GHSA-3p2m-h2v6-g9mx
- nvd.nist.gov/vuln/detail/CVE-2026-33989
Code Behaviors & Features
Detect and mitigate CVE-2026-33989 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →