CVE-2026-33989

Name of the Vulnerable Software and Affected Versions @mobilenext/mobile-mcp versions prior to 0.0.49

Description The @mobilenext/mobile-mcp server contains a Path Traversal vulnerability in the mobile save screenshot and mobile start screen recording tools. The saveTo and output parameters are passed directly to filesystem operations without validation, allowing an attacker to write files outside the intended workspace. The vulnerability exists in the src/server.ts file, specifically in lines 584-592 for mobile save screenshot and lines 597-620 for mobile start screen recording. The saveTo and output parameters are not validated before being used in fs.writeFileSync(), creating a path traversal condition. A proof-of-concept (PoC) exploit demonstrates the ability to write files to arbitrary locations on the system, potentially overwriting sensitive files like .bashrc or .ssh/authorized keys.

Recommendations Versions prior to 0.0.49 should be updated to version 0.0.49 or later.