Monthly
Improper export of Android application components in the ASUS Router App enables any co-installed third-party application on the same Android device to send a crafted Intent that forces the ASUS Router App to navigate to an attacker-specified URL. The flaw, classified as CWE-926, allows an attacker-controlled application to abuse the exposed component as an open redirect, potentially rendering phishing content or harvesting router management credentials within the app's trusted interface context. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Location spoofing in the Home Assistant Android companion app prior to 2026.5.3 allows any co-installed application - even one with zero runtime permissions - to forge the device's reported GPS position by broadcasting a crafted Google Play Services LocationResult to an unprotected exported BroadcastReceiver. The forged coordinates are forwarded to the user's Home Assistant server as the device's real location, defeating Android's developer-mode Mock Location gate and enabling abuse of zone-based automations such as unlocking doors, disarming alarms, or opening garages. No public exploit identified at time of analysis, and the issue is patched in 2026.5.3 by unexporting LocationSensorManager and introducing a thin RequestAccurateLocationReceiver proxy that drops attacker-supplied extras.
An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.
Improper export of Android application components in Fortinet FortiToken Android 5.2, 6.1, and 6.2 allows local authenticated attackers to gain unauthorized access to sensitive information via exposed application components that lack proper access control. The vulnerability has a CVSS score of 5.0 with local attack vector and requires low privileges, enabling information disclosure without user interaction. No public exploit code has been identified, and the vulnerability is not listed in active exploitation databases at the time of analysis.
Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities.
Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls. [CVSS 7.5 HIGH]
Yalantis uCrop 2.2.11 contains an improperly exported Android application component (UCropActivity) in AndroidManifest.xml that allows local attackers with application-level privileges to access the component via intent manipulation, potentially disclosing sensitive information. The vulnerability requires local access and user application permissions but affects confidentiality with low impact. Public exploit code is available, though the EPSS score of 0.06% suggests limited real-world exploitation despite public disclosure.
A vulnerability was detected in SKTLab Mukbee App 1.01.196 on Android. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability was determined in Webull Investing & Trading App 11.2.5.63 on Android. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability was found in Ooma Office Business Phone App up to 7.2.2 on Android. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.
Improper export of Android application components in the ASUS Router App enables any co-installed third-party application on the same Android device to send a crafted Intent that forces the ASUS Router App to navigate to an attacker-specified URL. The flaw, classified as CWE-926, allows an attacker-controlled application to abuse the exposed component as an open redirect, potentially rendering phishing content or harvesting router management credentials within the app's trusted interface context. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Location spoofing in the Home Assistant Android companion app prior to 2026.5.3 allows any co-installed application - even one with zero runtime permissions - to forge the device's reported GPS position by broadcasting a crafted Google Play Services LocationResult to an unprotected exported BroadcastReceiver. The forged coordinates are forwarded to the user's Home Assistant server as the device's real location, defeating Android's developer-mode Mock Location gate and enabling abuse of zone-based automations such as unlocking doors, disarming alarms, or opening garages. No public exploit identified at time of analysis, and the issue is patched in 2026.5.3 by unexporting LocationSensorManager and introducing a thin RequestAccurateLocationReceiver proxy that drops attacker-supplied extras.
An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.
Improper export of Android application components in Fortinet FortiToken Android 5.2, 6.1, and 6.2 allows local authenticated attackers to gain unauthorized access to sensitive information via exposed application components that lack proper access control. The vulnerability has a CVSS score of 5.0 with local attack vector and requires low privileges, enabling information disclosure without user interaction. No public exploit code has been identified, and the vulnerability is not listed in active exploitation databases at the time of analysis.
Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities.
Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls. [CVSS 7.5 HIGH]
Yalantis uCrop 2.2.11 contains an improperly exported Android application component (UCropActivity) in AndroidManifest.xml that allows local attackers with application-level privileges to access the component via intent manipulation, potentially disclosing sensitive information. The vulnerability requires local access and user application permissions but affects confidentiality with low impact. Public exploit code is available, though the EPSS score of 0.06% suggests limited real-world exploitation despite public disclosure.
A vulnerability was detected in SKTLab Mukbee App 1.01.196 on Android. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability was determined in Webull Investing & Trading App 11.2.5.63 on Android. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability was found in Ooma Office Business Phone App up to 7.2.2 on Android. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.