Skip to main content

appium-mcp CVE-2026-58500

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 GitHub_M
8.2
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
vuln.today AI
8.2 HIGH

Remote unauthenticated injection but victim must render the resource (UI:R); script crosses into the MCP client to run tools (S:C), yielding high integrity and low confidentiality impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 13, 2026 - 21:47 vuln.today
Analysis Generated
Jul 13, 2026 - 21:47 vuln.today
CVE Published
Jul 13, 2026 - 21:17 cve.org
HIGH 8.2

DescriptionCVE.org

MCP Appium is an MCP server that provides AI assistants with tools to automate mobile app testing on Android and iOS. In versions prior to 1.85.10, the createLocatorGeneratorUI function interpolates attacker-controlled element attributes - text, content-desc, resource-id, and locator selector values - directly into an HTML template literal without any HTML or JavaScript context escaping. An attacker who controls the UI of the app under test can inject arbitrary HTML and JavaScript into the MCP UI resource returned by the generate_locators tool. When a victim's MCP client renders this resource, the injected script executes and can invoke arbitrary MCP tools via window.parent.postMessage, leading to unauthorized MCP tool execution such as taking screenshots, reading page source, or any other registered capability. This issue has been fixed in version 1.85.10.

AnalysisAI

Cross-site scripting in appium-mcp (the Appium MCP server) versions <= 1.85.9 lets an attacker who controls the mobile app under test inject arbitrary HTML/JavaScript into the MCP UI resource returned by the generate_locators tool, because createLocatorGeneratorUI interpolates element attributes (text, content-desc, resource-id, selector, strategy) into an HTML template without escaping. When a victim's MCP client renders the resource, the injected script runs and can call arbitrary registered MCP tools via window.parent.postMessage (screenshots, page-source reads, etc.). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts app with XSS in element attributes
Delivery
Victim runs generate_locators against the app
Exploit
Unescaped attributes interpolated into MCP UI HTML
Execution
Client renders resource, injected script executes
Persist
postMessage invokes arbitrary MCP tools
Impact
Screenshots/page source exfiltrated

Vulnerability AssessmentAI

Exploitation Requires that the attacker control the UI attributes of the app under test (the text, content-desc, resource-id, or locator selector values Appium reads from the live session) AND that a victim runs the generate_locators tool against that app and renders the resulting MCP UI resource in an MCP client that honors window.parent.postMessage tool calls. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N, base 8.2) reflects a scope-changing XSS: no privileges on the server, but the victim must render the malicious MCP UI resource (UI:R), and success pivots into MCP tool execution on the client (S:C). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes or supplies a mobile app whose element text/content-desc/resource-id contains an XSS payload such as an img onerror that calls window.parent.postMessage. A tester using an AI assistant runs the generate_locators tool against that app; the returned MCP UI resource is rendered in the victim's MCP client, the script executes, and it silently invokes registered MCP tools (e.g., capture screenshots or dump page source). …
Remediation Vendor-released patch: upgrade appium-mcp to 1.85.10 or later, which HTML-escapes tagName, text, contentDesc, resourceId, selector and strategy via a new escapeHtml() helper and replaces the inline onclick handler with data-strategy/data-selector attributes plus a delegated click listener (see commit e222bbbd6fe2b656a320efcd143563f08061a83d and advisory GHSA-x975-rgx4-5fh4). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all systems running appium-mcp versions 1.85.9 or earlier in your QA and test automation infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58500 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy