Is there a public PoC exploit available for CVE-2025-7890?

Yes, a public proof-of-concept exploit is available for CVE-2025-7890. Prioritise patching immediately. EPSS: 0.0%.

Dunamu StockPlus CVE-2025-7890

Q: What is the CVSS score of CVE-2025-7890?

CVE-2025-7890 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Export of Android Application Components (CWE-926)

2025-07-20 cna@vuldb.com

Information Disclosure Google Stockplus

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:24 vuln.today

DescriptionCVE.org

A vulnerability was found in Dunamu StockPlus App up to 7.62.10 on Android. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.dunamu.stockplus. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Dunamu StockPlus Android app versions up to 7.62.10 improperly export application components via AndroidManifest.xml configuration, allowing local attackers with low privileges to access sensitive functionality. The vulnerability requires local device access and affects the com.dunamu.stockplus component, resulting in limited information disclosure. Publicly available exploit code exists, and the vendor did not respond to early disclosure notification.

Technical ContextAI

Android applications declare exported components in AndroidManifest.xml to define which activities, services, broadcast receivers, or content providers are accessible to other applications on the device. CWE-926 (Improper Export of Android Application Components) occurs when developers fail to restrict component visibility, allowing any app with appropriate permissions to invoke those components. In this case, the com.dunamu.stockplus component is exported without proper access controls, enabling a local attacker with basic app permissions to interact with sensitive functionality that should remain internal. This is a fundamental Android security misconfiguration rather than a code execution flaw.

RemediationAI

Dunamu has not released a patched version at this time. Users should upgrade to a version newer than 7.62.10 if available from Google Play Store; verify current app version in Settings and check for updates. Since the vendor did not respond to disclosure, no official fix timeline exists. As a compensating control on Android 6.0 and later, users can restrict app permissions via Settings > Apps > StockPlus > Permissions to limit what other installed applications can access, though this does not prevent component export exploitation by other apps with overlapping permissions. Consider uninstalling and reinstalling the app only if a newer version is available in the store. Enterprise users should block installation via Mobile Device Management if internal financial apps conflict with exposed StockPlus components.

CVE-2025-7890 vulnerability details – vuln.today

Back