Appium Mcp
Monthly
Cross-site scripting in appium-mcp (the Appium MCP server) versions <= 1.85.9 lets an attacker who controls the mobile app under test inject arbitrary HTML/JavaScript into the MCP UI resource returned by the generate_locators tool, because createLocatorGeneratorUI interpolates element attributes (text, content-desc, resource-id, selector, strategy) into an HTML template without escaping. When a victim's MCP client renders the resource, the injected script runs and can call arbitrary registered MCP tools via window.parent.postMessage (screenshots, page-source reads, etc.). No public exploit identified at time of analysis, though the fix commit ships XSS test cases; fixed in 1.85.10.
Cross-site scripting in appium-mcp (the Appium MCP server) versions <= 1.85.9 lets an attacker who controls the mobile app under test inject arbitrary HTML/JavaScript into the MCP UI resource returned by the generate_locators tool, because createLocatorGeneratorUI interpolates element attributes (text, content-desc, resource-id, selector, strategy) into an HTML template without escaping. When a victim's MCP client renders the resource, the injected script runs and can call arbitrary registered MCP tools via window.parent.postMessage (screenshots, page-source reads, etc.). No public exploit identified at time of analysis, though the fix commit ships XSS test cases; fixed in 1.85.10.