High
CVSS: 8.3
Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of a…
Medium
CVSS: 6.4
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without an…
Medium
CVSS: 5.5
Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.
High
CVSS: 7.6
Mattermost Desktop App versions
Low
CVSS: 3.1
In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure
Medium
CVSS: 5.3
Improper authorization in handler for custom URL scheme issue in "Yahoo! Shopping" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a…
Medium
CVSS: 4.3
Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client This vulnerability affects Fi…