CVE-2026-39862

Name of the Vulnerable Software and Affected Versions Tophat versions prior to 2.5.1

Description Tophat, a mobile applications testing harness, is susceptible to remote code execution through specially crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter is processed without proper sanitization, leading to execution of arbitrary commands via /bin/bash -c on a developer's macOS workstation. Developers with Tophat installed are affected. No confirmation dialog is displayed for previously trusted build hosts, and attacker commands execute with the user's permissions.

Recommendations Update to version 2.5.1 or later.