Is there a public PoC exploit available for CVE-2026-12065?

Yes, a public proof-of-concept exploit is available for CVE-2026-12065. Prioritise patching immediately. EPSS: 0.0%.

Groww Android App CVE-2026-12065

Q: What is the CVSS score of CVE-2026-12065?

CVE-2026-12065 has a CVSS 4.0 base score of 0.3 (Low). CVSS vector: CVSS:4.0/AV:P/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-36417 LOW

Improper Authorization in Handler for Custom URL Scheme (CWE-939)

2026-06-12 VulDB

GHSA-c3gw-qw4g-hx8g

Google Information Disclosure Stock Mutual Fund Gold App

0.3

CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY

0.3 LOW

CVSS:4.0/AV:P/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

1.8 LOW

Physical access required and high complexity per description; low privileges needed; only low integrity impact with no confidentiality or availability compromise confirmed.

3.1 AV:P/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

4.0 AV:P/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:P/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Physical

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 12, 2026 - 14:24 vuln.today

CVSS changed

Jun 12, 2026 - 14:22 NVD

1.0 (LOW) 0.3 (LOW)

DescriptionCVE.org

A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.

AnalysisAI

Improper authorization in the WebView URL Handler of the Groww Stock, Mutual Fund, Gold App for Android (all versions up to build 20260805) allows a low-privileged attacker with physical device access to invoke custom URL scheme handlers without proper authorization, enabling unauthorized in-app navigation or bypass of client-side access controls. The CVSS 4.0 score of 0.3 reflects severe exploitation constraints: physical access is mandatory, attack complexity is high, and impact is limited to low integrity compromise with no confirmed confidentiality exposure. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Gain physical access to unlocked Android device

Delivery

Launch or access Groww app on device

Exploit

Craft malicious custom URL scheme payload

Execution

Inject URL into WebView handler

Persist

Bypass client-side authorization check

Impact

Perform unauthorized in-app action (e.g., access restricted screen or bypass app lock)