Skip to main content

Lenovo Application CVE-2026-7516

| EUVDEUVD-2026-36046 MEDIUM
Exposed Dangerous Method or Function (CWE-749)
2026-06-10 lenovo GHSA-wx95-xvqf-3525
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch available
Jun 10, 2026 - 16:01 EUVD
Analysis Generated
Jun 10, 2026 - 15:32 vuln.today
CVSS changed
Jun 10, 2026 - 15:22 NVD
4.3 (MEDIUM) 5.1 (MEDIUM)
CVE Published
Jun 10, 2026 - 14:08 nvd
MEDIUM 5.1

DescriptionNVD

A vulnerability was identified in the Lenovo Android Application, distributed exclusively on tablets in the Chinese market, that could allow a website visited by the built-in browser to overwrite system clipboard contents.

AnalysisAI

Clipboard hijacking in Lenovo's built-in Android browser application allows a malicious website to silently overwrite system clipboard contents on affected devices. The vulnerability impacts Lenovo Android tablets distributed exclusively in the Chinese market, enabling a network-based attacker to manipulate clipboard data when a user visits a crafted website. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis; EPSS data was not provided in available intelligence.

Technical ContextAI

The affected component is the Lenovo-developed Android Application (CPE: cpe:2.3:a:lenovo:application:*:*:*:*:*:*:*:*) bundled as a built-in browser on Lenovo tablets sold in China. The root cause is classified as CWE-749 (Exposed Dangerous Method or Function), meaning the browser exposes a privileged Android API or JavaScript interface that should not be accessible to untrusted web content - specifically, the ability to write to the Android system clipboard. This class of vulnerability typically arises when a WebView-based application registers a JavaScript bridge or addJavascriptInterface binding that exposes clipboard-write functionality without proper origin validation or permission gating. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms the attack is network-initiated, low complexity, requires no attacker privileges, but does require active user interaction (the user must navigate to a malicious page).

RemediationAI

The primary remediation is to apply the vendor-released patch per Lenovo's official advisory at https://iknow.lenovo.com.cn/detail/440821; an exact fixed application version was not independently confirmed from the provided data and should be obtained directly from that advisory. Users on affected Lenovo Chinese-market tablets should update the Lenovo Application via the device's system update mechanism or app update channel as instructed by Lenovo. As a compensating control prior to patching, users should avoid using the built-in browser for general web browsing, particularly on untrusted or unknown sites, and instead use a third-party browser (Chrome, Firefox) that does not expose this clipboard interface. Additionally, users should be cautious when pasting clipboard content after browsing - especially for cryptocurrency wallet addresses, passwords, or sensitive URLs - by manually verifying clipboard contents before use. Note that restricting the built-in browser may affect system-level functionality on these tablets if it is used as the default handler for links.

More in Lenovo

View all
CVE-2012-1195 HIGH POC
7.5 Feb 18

Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup

CVE-2012-1196 MEDIUM POC
5.0 Feb 18

Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagemen

CVE-2015-2219 HIGH POC
7.2 May 12

Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens, which allo

CVE-2018-14066 CRITICAL POC
9.8 Jul 15

The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phone

CVE-2026-58583 HIGH POC
8.4 Jul 07

Local privilege escalation in the FluxInk (formerly Sunia SPB Peripheral) Color Management Driver TcnPeripheral64.sys ve

CVE-2017-7293 HIGH POC
7.8 Apr 26

The Dolby DAX2 and DAX3 API services are vulnerable to a privilege escalation vulnerability that allows a normal user to

CVE-2015-6971 HIGH POC
7.8 Oct 03

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0013 allows local users to submit commands to the

CVE-2015-8110 HIGH POC
7.8 Apr 24

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by nav

CVE-2021-3633 HIGH POC
7.8 Aug 17

A DLL preloading vulnerability was reported in Lenovo Driver Management prior to version 2.9.0719.1104 that could allow

CVE-2022-0354 HIGH POC
7.3 Apr 22

A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ab

CVE-2015-8109 HIGH POC
7.0 Apr 24

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by mak

CVE-2017-3761 CRITICAL
9.8 Oct 17

The Lenovo Service Framework Android application executes some system commands without proper sanitization of external i

Share

CVE-2026-7516 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy