appium-mcp
CVE-2026-58500
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
Remote unauthenticated injection but victim must render the resource (UI:R); script crosses into the MCP client to run tools (S:C), yielding high integrity and low confidentiality impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
MCP Appium is an MCP server that provides AI assistants with tools to automate mobile app testing on Android and iOS. In versions prior to 1.85.10, the createLocatorGeneratorUI function interpolates attacker-controlled element attributes - text, content-desc, resource-id, and locator selector values - directly into an HTML template literal without any HTML or JavaScript context escaping. An attacker who controls the UI of the app under test can inject arbitrary HTML and JavaScript into the MCP UI resource returned by the generate_locators tool. When a victim's MCP client renders this resource, the injected script executes and can invoke arbitrary MCP tools via window.parent.postMessage, leading to unauthorized MCP tool execution such as taking screenshots, reading page source, or any other registered capability. This issue has been fixed in version 1.85.10.
AnalysisAI
Cross-site scripting in appium-mcp (the Appium MCP server) versions <= 1.85.9 lets an attacker who controls the mobile app under test inject arbitrary HTML/JavaScript into the MCP UI resource returned by the generate_locators tool, because createLocatorGeneratorUI interpolates element attributes (text, content-desc, resource-id, selector, strategy) into an HTML template without escaping. When a victim's MCP client renders the resource, the injected script runs and can call arbitrary registered MCP tools via window.parent.postMessage (screenshots, page-source reads, etc.). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires that the attacker control the UI attributes of the app under test (the text, content-desc, resource-id, or locator selector values Appium reads from the live session) AND that a victim runs the generate_locators tool against that app and renders the resulting MCP UI resource in an MCP client that honors window.parent.postMessage tool calls. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N, base 8.2) reflects a scope-changing XSS: no privileges on the server, but the victim must render the malicious MCP UI resource (UI:R), and success pivots into MCP tool execution on the client (S:C). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes or supplies a mobile app whose element text/content-desc/resource-id contains an XSS payload such as an img onerror that calls window.parent.postMessage. A tester using an AI assistant runs the generate_locators tool against that app; the returned MCP UI resource is rendered in the victim's MCP client, the script executes, and it silently invokes registered MCP tools (e.g., capture screenshots or dump page source). … |
| Remediation | Vendor-released patch: upgrade appium-mcp to 1.85.10 or later, which HTML-escapes tagName, text, contentDesc, resourceId, selector and strategy via a new escapeHtml() helper and replaces the inline onclick handler with data-strategy/data-selector attributes plus a delegated click listener (see commit e222bbbd6fe2b656a320efcd143563f08061a83d and advisory GHSA-x975-rgx4-5fh4). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all systems running appium-mcp versions 1.85.9 or earlier in your QA and test automation infrastructure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today