CVE-2026-58500
Received Received - Intake

MCP Appium HTML Injection via Unsanitized Element Attributes

Vulnerability report for CVE-2026-58500, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: GitHub, Inc.

Description

MCP Appium is an MCP server that provides AI assistants with tools to automate mobile app testing on Android and iOS. In versions prior to 1.85.10, the createLocatorGeneratorUI function interpolates attacker-controlled element attributes β€” text, content-desc, resource-id, and locator selector values β€” directly into an HTML template literal without any HTML or JavaScript context escaping. An attacker who controls the UI of the app under test can inject arbitrary HTML and JavaScript into the MCP UI resource returned by the generate_locators tool. When a victim's MCP client renders this resource, the injected script executes and can invoke arbitrary MCP tools via window.parent.postMessage, leading to unauthorized MCP tool execution such as taking screenshots, reading page source, or any other registered capability. This issue has been fixed in version 1.85.10.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mcp mcp_appium to 1.85.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58500 is a vulnerability in MCP Appium, a server that enables AI assistants to automate mobile app testing on Android and iOS. The issue lies in the `createLocatorGeneratorUI` function, which interpolates attacker-controlled element attributes (such as text, content-desc, resource-id, and locator selector values) directly into an HTML template literal without proper escaping for HTML or JavaScript contexts.

An attacker who controls the UI of the app under test can inject arbitrary HTML and JavaScript into the MCP UI resource returned by the `generate_locators` tool. When a victim's MCP client renders this resource, the injected script executes, allowing the attacker to invoke arbitrary MCP tools via `window.parent.postMessage`. This can lead to unauthorized actions, such as taking screenshots, reading page source, or executing other registered capabilities.

The vulnerability has been fixed in version 1.85.10 of MCP Appium.

Impact Analysis

If you are using MCP Appium versions prior to 1.85.10, this vulnerability could have several impacts:

  • Unauthorized access to sensitive data: An attacker could exploit the vulnerability to read the page source of the app under test, potentially exposing sensitive information.
  • Execution of arbitrary MCP tools: The injected script can invoke MCP tools, allowing an attacker to perform actions like taking screenshots, which could capture confidential data.
  • Compromise of testing integrity: The vulnerability could be used to manipulate test results or interfere with automated testing processes, leading to unreliable outcomes.
  • Potential for further exploitation: If the MCP environment has additional privileges or access to other systems, the attacker might leverage this vulnerability as a stepping stone for broader attacks.
Compliance Impact

This vulnerability could impact compliance with several standards and regulations, depending on the context in which MCP Appium is used:

  • GDPR (General Data Protection Regulation): If the app under test processes personal data of EU citizens, unauthorized access to this data (e.g., via reading page source or taking screenshots) could violate GDPR principles, such as data protection by design and default (Article 25) and the requirement to implement appropriate security measures (Article 32). A breach could lead to significant fines and reputational damage.
  • HIPAA (Health Insurance Portability and Accountability Act): If MCP Appium is used in a healthcare context to test apps handling protected health information (PHI), this vulnerability could result in unauthorized access to PHI. This would constitute a breach under HIPAA, potentially leading to penalties and mandatory breach notifications.
  • Other industry-specific regulations: Depending on the sector (e.g., finance, government), similar vulnerabilities could violate standards like PCI DSS (for payment data) or FISMA (for U.S. federal systems). Non-compliance could result in legal consequences, loss of certifications, or contractual penalties.

To maintain compliance, organizations should ensure they are using the patched version of MCP Appium (1.85.10 or later) and conduct a risk assessment to determine if any data was exposed or compromised due to this vulnerability.

Detection Guidance

Detecting CVE-2026-58500 on your network or system involves checking for vulnerable versions of MCP Appium (versions prior to 1.85.10) and monitoring for suspicious activity related to the exploitation of this vulnerability. Below are some steps and commands to help identify potential exposure:

  • Check the installed version of MCP Appium. If it is prior to 1.85.10, the system is vulnerable. You can verify the version by running the following command if MCP Appium provides a version check utility: `mcp-appium --version` or inspecting the installation directory for version metadata.
  • Monitor network traffic for unusual interactions with the MCP Appium server, particularly requests to the `generate_locators` tool endpoint. Use network monitoring tools like Wireshark or tcpdump to capture and analyze traffic: `tcpdump -i <interface> -w mcp_traffic.pcap 'port <MCP_Appium_Port>'`.
  • Inspect logs for the MCP Appium server for any unexpected or malformed requests, especially those containing HTML or JavaScript payloads in element attributes (e.g., `text`, `content-desc`, `resource-id`, or `locator` values).
  • Review the MCP UI resources returned by the `generate_locators` tool for signs of injected HTML or JavaScript. This may require manual inspection of the responses or automated scanning for suspicious patterns.
Mitigation Strategies

To mitigate CVE-2026-58500, follow these immediate steps:

  • Upgrade MCP Appium to version 1.85.10 or later, as this version includes the fix for the vulnerability. Refer to the official MCP Appium documentation or release notes for upgrade instructions.
  • If upgrading is not immediately possible, restrict access to the MCP Appium server to trusted networks or users only. Use firewalls or network segmentation to limit exposure to potential attackers.
  • Disable or restrict the `generate_locators` tool if it is not essential for your workflow. This can prevent exploitation of the vulnerability until the upgrade is completed.
  • Monitor the MCP Appium server for any signs of exploitation, such as unusual requests or unexpected script execution in the MCP UI. Implement logging and alerting for suspicious activity.
  • Educate users and developers about the risks of injecting untrusted input into MCP Appium tools, particularly those that generate UI resources or interact with the MCP client.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart