Skip to main content

AI Assistant Lifestyle CVE-2026-10510

| EUVDEUVD-2026-33874 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-02 TECNOMobile GHSA-56gg-pgfw-2rpm
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 14:30 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
6.1 (MEDIUM)
CVE Published
Jun 02, 2026 - 01:56 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 02, 2026 - 01:56 nvd
MEDIUM 6.1

DescriptionCVE.org

Cross-Site Scripting (XSS) in GeniexWebView component in Transsion AI Assistant Lifestyle application (com.transsion.aiassistantlifestyle) all versions on Android allows remote attacker to execute arbitrary JavaScript in the WebView context via crafted web_action_data URL parameter.

AnalysisAI

Cross-site scripting in the GeniexWebView component of Transsion's AI Assistant Lifestyle Android application (com.transsion.aiassistantlifestyle) enables unauthenticated remote attackers to execute arbitrary JavaScript within the app's WebView context by delivering a crafted web_action_data URL parameter to a victim. The Changed scope (S:C) in the CVSS vector indicates impact crosses the originating component boundary - a meaningful risk in Android WebViews where JavaScript-to-native bridges may be exposed. No public exploit identified at time of analysis, and the EPSS score of 0.12% at the 31st percentile signals low current exploitation interest.

Technical ContextAI

The GeniexWebView component is an embedded Android WebView within TECNO Mobile's AI Assistant Lifestyle app (CPE: cpe:2.3:a:tecno_mobile:com.transsion.aiassistantlifestyle:*:*:*:*:*:*:*:*). Android WebViews render web content inside a native app context and can, when misconfigured, expose JavaScript interface bridges (addJavascriptInterface) that grant injected scripts access to device APIs or sensitive app internals. The root cause is CWE-79 - improper neutralization of user-supplied input (specifically the web_action_data URL parameter) before it is rendered in the WebView. Because the CVSS scope is Changed, the injected script's impact is assessed to reach beyond the WebView sandbox into adjacent app or system resources, a common risk when WebViews bridge to native Android code.

RemediationAI

No vendor-released patched version is independently confirmed from the available reference data - the TECNO Mobile SRC advisory page (https://security.tecno.com/SRC/securityUpdates) should be consulted directly for the latest patch status and specific fixed version details. Users of com.transsion.aiassistantlifestyle should monitor the Google Play Store for an updated release from TECNO Mobile and apply any available update immediately. As a compensating control pending a patch, users should avoid interacting with unsolicited or untrusted URLs that may be processed by the AI Assistant Lifestyle app. Enterprise MDM administrators managing TECNO device fleets should consider disabling or restricting the AI Assistant Lifestyle app via policy until a confirmed fix version is available. Note that restricting the app may impact its core functionality.

Share

CVE-2026-10510 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy