{"vulnerability": "ghsa-x975-rgx4-5fh4", "sightings": [{"uuid": "f190a1e2-c37a-4d95-94f8-f9ff3b48af1f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-X975-RGX4-5FH4", "type": "seen", "source": "https://gist.github.com/alon710/8de6af61b9d07c38419cacde992ae1f8", "content": "# GHSA-X975-RGX4-5FH4: GHSA-X975-RGX4-5FH4: Unescaped Locator Data Cross-Site Scripting in appium-mcp MCP-UI Resource\n\n&gt; **CVSS Score:** 8.2\n&gt; **Published:** 2026-06-19\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-X975-RGX4-5FH4\n\n## Summary\nGHSA-X975-RGX4-5FH4 is a high-severity Cross-Site Scripting (XSS) vulnerability residing in the Model Context Protocol (MCP) User Interface (UI) component of appium-mcp, an NPM package integrating Appium with MCP clients. The flaw exists within the createLocatorGeneratorUI utility function, which renders UI metadata directly into an HTML template page without performing sanitization or encoding. Because MCP clients use window.parent.postMessage to send commands from the UI to the host, this XSS can be escalated to trigger arbitrary MCP tool calls, potentially leading to Remote Code Execution (RCE) on the host running the MCP client.\n\n## TL;DR\nA Cross-Site Scripting (XSS) vulnerability in the Appium Model Context Protocol (MCP) server allows unescaped layout metadata to execute malicious JavaScript in the client's inspector WebView, leading to arbitrary host command execution via postMessage exploitation.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-79\n- **Attack Vector**: Network\n- **CVSS Score**: 8.2 (High)\n- **Exploit Status**: Proof-of-Concept\n- **KEV Status**: Not Listed\n- **Impact**: Client-Side Script Execution / Host Command Injection via postMessage\n\n## Affected Systems\n\n- appium-mcp NPM package\n- **appium-mcp**: &lt; 1.85.10 (Fixed in: `1.85.10`)\n\n## Mitigation\n\n- Upgrade appium-mcp to v1.85.10 or later\n- Enforce strict Content Security Policy (CSP) blocking inline scripts\n- Restrict postMessage listeners to validated origins\n\n**Remediation Steps:**\n1. Run npm install appium-mcp@latest to fetch the latest secure release\n2. Restart any active MCP-UI or Claude Desktop environments utilizing the package\n3. Configure iframe sandboxing properties on the parent container view to isolate the WebView execution space\n\n## References\n\n- [GitHub Security Advisory GHSA-X975-RGX4-5FH4](https://github.com/advisories/GHSA-X975-RGX4-5FH4)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-X975-RGX4-5FH4) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-22T04:11:55.000000Z"}, {"uuid": "29647b55-0c4b-4181-bed3-23b3e725297f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-X975-RGX4-5FH4", "type": "seen", "source": "https://gist.github.com/alon710/5d611a6037648e98f6e55065eed852b3", "content": "# GHSA-X975-RGX4-5FH4: GHSA-X975-RGX4-5FH4: Unescaped Locator Data Cross-Site Scripting in appium-mcp MCP-UI Resource\n\n&gt; **CVSS Score:** 8.2\n&gt; **Published:** 2026-06-19\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-X975-RGX4-5FH4\n\n## Summary\nGHSA-X975-RGX4-5FH4 is a high-severity Cross-Site Scripting (XSS) vulnerability residing in the Model Context Protocol (MCP) User Interface (UI) component of appium-mcp, an NPM package integrating Appium with MCP clients. The flaw exists within the createLocatorGeneratorUI utility function, which renders UI metadata directly into an HTML template page without performing sanitization or encoding. Because MCP clients use window.parent.postMessage to send commands from the UI to the host, this XSS can be escalated to trigger arbitrary MCP tool calls, potentially leading to Remote Code Execution (RCE) on the host running the MCP client.\n\n## TL;DR\nA Cross-Site Scripting (XSS) vulnerability in the Appium Model Context Protocol (MCP) server allows unescaped layout metadata to execute malicious JavaScript in the client's inspector WebView, leading to arbitrary host command execution via postMessage exploitation.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-79\n- **Attack Vector**: Network\n- **CVSS Score**: 8.2 (High)\n- **Exploit Status**: Proof-of-Concept\n- **KEV Status**: Not Listed\n- **Impact**: Client-Side Script Execution / Host Command Injection via postMessage\n\n## Affected Systems\n\n- appium-mcp NPM package\n- **appium-mcp**: &lt; 1.85.10 (Fixed in: `1.85.10`)\n\n## Mitigation\n\n- Upgrade appium-mcp to v1.85.10 or later\n- Enforce strict Content Security Policy (CSP) blocking inline scripts\n- Restrict postMessage listeners to validated origins\n\n**Remediation Steps:**\n1. Run npm install appium-mcp@latest to fetch the latest secure release\n2. Restart any active MCP-UI or Claude Desktop environments utilizing the package\n3. Configure iframe sandboxing properties on the parent container view to isolate the WebView execution space\n\n## References\n\n- [GitHub Security Advisory GHSA-X975-RGX4-5FH4](https://github.com/advisories/GHSA-X975-RGX4-5FH4)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-X975-RGX4-5FH4) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-22T04:21:36.000000Z"}]}