CVE-2026-26208
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
ADB Explorer is a fluent UI for ADB on Windows. Prior to Beta 0.9.26020, ADB Explorer is vulnerable to Insecure Deserialization leading to Remote Code Execution. The application attempts to deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set to Objects. This allows an attacker to supply a crafted JSON file containing a gadget chain (e.g., ObjectDataProvider) to execute arbitrary code when the application launches and subsequently saves its settings. This vulnerability is fixed in Beta 0.9.26020.
Analysis
ADB Explorer on Windows versions prior to Beta 0.9.26020 allows local attackers to achieve remote code execution by crafting a malicious App.txt settings file that exploits insecure JSON deserialization with enabled type name handling. An attacker can inject a gadget chain payload into the configuration file that executes arbitrary code when the application launches and processes settings. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running ADB Explorer and document inventory; restrict network access to affected systems where possible. Within 7 days: Contact ADB Explorer developers for patch availability timeline; evaluate whether ADB Explorer is business-critical or can be temporarily uninstalled; test alternative Android debugging solutions. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today