PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58500 appium CVE debrief

MCP Appium versions prior to 1.85.10 are vulnerable to AI tool execution via injected HTML and JavaScript. The createLocatorGeneratorUI function interpolates attacker-controlled element attributes into an HTML template literal without escaping, allowing an attacker to inject arbitrary HTML and JavaScript. When a victim's MCP client renders this resource, the injected script executes and can invoke arbitrary MCP tools. This issue has been fixed in version 1.85.10. Affected product or component is MCP Appium, and the vulnerability class is related to HTML and JavaScript injection.

Vendor
appium
Product
appium-mcp
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of MCP Appium versions prior to 1.85.10 should update to version 1.85.10 or later to prevent AI tool execution via injected HTML and JavaScript. This update will prevent attackers from injecting arbitrary HTML and JavaScript into the MCP UI resource. Affected operators, platforms, vulnerability-management, and security teams should review and restrict access to the generate_locators tool.

Technical summary

The createLocatorGeneratorUI function in MCP Appium interpolates attacker-controlled element attributes — text, content-desc, resource-id, and locator selector values — directly into an HTML template literal without any HTML or JavaScript context escaping. An attacker who controls the UI of the app under test can inject arbitrary HTML and JavaScript into the MCP UI resource returned by the generate_locators tool. When a victim's MCP client renders this resource, the injected script executes and can invoke arbitrary MCP tools via window.parent.postMessage. This issue has been fixed in version 1.85.10.

Defensive priority

High

Recommended defensive actions

  • Update MCP Appium to version 1.85.10 or later
  • Review and restrict access to the generate_locators tool
  • Monitor for suspicious activity in MCP client logs
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-13T22:16:48.677Z and has not been modified since then. The NVD entry is currently 8.2 HIGH. The createLocatorGeneratorUI function interpolates attacker-controlled element attributes — text, content-desc, resource-id, and locator selector values — directly into an HTML template literal without any HTML or JavaScript context escaping. This allows an attacker to inject arbitrary HTML and JavaScript into the MCP UI resource returned by the generate_locators tool. A victim's MCP client renders this resource, leading to unauthorized MCP tool execution via window.parent.postMessage. Users should verify affected scope and update to version 1.85.10 or later.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T22:16:48.677Z and has not been modified since then.