Skip to main content

Google CVE-2026-9219

| EUVDEUVD-2026-39591 HIGH
Generation of Predictable Numbers or Identifiers (CWE-340)
2026-06-26 ics-cert@hq.dhs.gov GHSA-jpv7-7g7j-hgwr
8.3
CVSS 4.0 · Vendor: hq
Share

Severity by source

Vendor (hq) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (hq) · only source for this CVE.

CVSS VectorVendor: hq

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 26, 2026 - 00:31 vuln.today
CVE Published
Jun 26, 2026 - 00:16 cve.org
HIGH 8.3

DescriptionCVE.org

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior have a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assignment. If an attacker is able to obtain the registration ID, they would be able to arbitrarily enroll watches belonging to other users.

AnalysisAI

Unauthorized device enrollment in the Setracker2 Android companion app (com.tgelec.setracker) versions 3.1.5 and prior lets remote attackers hijack other users' GPS smartwatches by guessing their registration ID. The registration ID is predictably derived from the device IMEI, and the enrollment workflow performs no secondary authentication before binding a watch to an account, so an attacker who learns or calculates the ID can take over the target's tracker. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: Audit all Setracker2 deployments, document affected versions, and identify high-priority targets (child tracking, field operations). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9219 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy