Skip to main content

CWE-926

Improper Export of Android Application Components

69 CVEs Avg CVSS 3.4 MITRE
0
CRITICAL
7
HIGH
16
MEDIUM
46
LOW
26
POC
0
KEV

Monthly

CVE-2026-12960 MEDIUM This Month

Improper export of Android application components in the ASUS Router App enables any co-installed third-party application on the same Android device to send a crafted Intent that forces the ASUS Router App to navigate to an attacker-specified URL. The flaw, classified as CWE-926, allows an attacker-controlled application to abuse the exposed component as an open redirect, potentially rendering phishing content or harvesting router management credentials within the app's trusted interface context. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Information Disclosure Google Router App
NVD
CVSS 4.0
6.0
EPSS
0.1%
CVE-2026-54318 HIGH PATCH This Week

Location spoofing in the Home Assistant Android companion app prior to 2026.5.3 allows any co-installed application - even one with zero runtime permissions - to forge the device's reported GPS position by broadcasting a crafted Google Play Services LocationResult to an unprotected exported BroadcastReceiver. The forged coordinates are forwarded to the user's Home Assistant server as the device's real location, defeating Android's developer-mode Mock Location gate and enabling abuse of zone-based automations such as unlocking doors, disarming alarms, or opening garages. No public exploit identified at time of analysis, and the issue is patched in 2026.5.3 by unexporting LocationSensorManager and introducing a thin RequestAccurateLocationReceiver proxy that drops attacker-supplied extras.

Google Authentication Bypass Core
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-68713 HIGH This Week

An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.

Denial Of Service Google RCE N A
NVD GitHub
CVSS 3.1
8.0
EPSS
0.2%
CVE-2026-44279 MEDIUM This Month

Improper export of Android application components in Fortinet FortiToken Android 5.2, 6.1, and 6.2 allows local authenticated attackers to gain unauthorized access to sensitive information via exposed application components that lack proper access control. The vulnerability has a CVSS score of 5.0 with local attack vector and requires low privileges, enabling information disclosure without user interaction. No public exploit code has been identified, and the vulnerability is not listed in active exploitation databases at the time of analysis.

Fortinet Information Disclosure Google Fortitokenandroid
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-3291 MEDIUM This Month

Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities.

HP Samsung Google Information Disclosure
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2025-15464 HIGH POC This Week

Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls. [CVSS 7.5 HIGH]

Authentication Bypass Fun Print
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-14517 LOW POC Monitor

Yalantis uCrop 2.2.11 contains an improperly exported Android application component (UCropActivity) in AndroidManifest.xml that allows local attackers with application-level privileges to access the component via intent manipulation, potentially disclosing sensitive information. The vulnerability requires local access and user application permissions but affects confidentiality with low impact. Public exploit code is available, though the EPSS score of 0.06% suggests limited real-world exploitation despite public disclosure.

Information Disclosure Google Ucrop
NVD VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2025-10722 LOW Monitor

A vulnerability was detected in SKTLab Mukbee App 1.01.196 on Android. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Google Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-10721 LOW Monitor

A vulnerability was determined in Webull Investing & Trading App 11.2.5.63 on Android. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Google Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-10718 LOW Monitor

A vulnerability was found in Ooma Office Business Phone App up to 7.2.2 on Android. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Google Microsoft Information Disclosure
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
EPSS 0% CVSS 6.0
MEDIUM This Month

Improper export of Android application components in the ASUS Router App enables any co-installed third-party application on the same Android device to send a crafted Intent that forces the ASUS Router App to navigate to an attacker-specified URL. The flaw, classified as CWE-926, allows an attacker-controlled application to abuse the exposed component as an open redirect, potentially rendering phishing content or harvesting router management credentials within the app's trusted interface context. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Information Disclosure Google Router App
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Location spoofing in the Home Assistant Android companion app prior to 2026.5.3 allows any co-installed application - even one with zero runtime permissions - to forge the device's reported GPS position by broadcasting a crafted Google Play Services LocationResult to an unprotected exported BroadcastReceiver. The forged coordinates are forwarded to the user's Home Assistant server as the device's real location, defeating Android's developer-mode Mock Location gate and enabling abuse of zone-based automations such as unlocking doors, disarming alarms, or opening garages. No public exploit identified at time of analysis, and the issue is patched in 2026.5.3 by unexporting LocationSensorManager and introducing a thin RequestAccurateLocationReceiver proxy that drops attacker-supplied extras.

Google Authentication Bypass Core
NVD GitHub
EPSS 0% CVSS 8.0
HIGH This Week

An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.

Denial Of Service Google RCE +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Improper export of Android application components in Fortinet FortiToken Android 5.2, 6.1, and 6.2 allows local authenticated attackers to gain unauthorized access to sensitive information via exposed application components that lack proper access control. The vulnerability has a CVSS score of 5.0 with local attack vector and requires low privileges, enabling information disclosure without user interaction. No public exploit code has been identified, and the vulnerability is not listed in active exploitation databases at the time of analysis.

Fortinet Information Disclosure Google +1
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities.

HP Samsung Google +1
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls. [CVSS 7.5 HIGH]

Authentication Bypass Fun Print
NVD
EPSS 0% CVSS 1.9
LOW POC Monitor

Yalantis uCrop 2.2.11 contains an improperly exported Android application component (UCropActivity) in AndroidManifest.xml that allows local attackers with application-level privileges to access the component via intent manipulation, potentially disclosing sensitive information. The vulnerability requires local access and user application permissions but affects confidentiality with low impact. Public exploit code is available, though the EPSS score of 0.06% suggests limited real-world exploitation despite public disclosure.

Information Disclosure Google Ucrop
NVD VulDB
EPSS 0% CVSS 1.9
LOW Monitor

A vulnerability was detected in SKTLab Mukbee App 1.01.196 on Android. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Google Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW Monitor

A vulnerability was determined in Webull Investing & Trading App 11.2.5.63 on Android. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Google Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW Monitor

A vulnerability was found in Ooma Office Business Phone App up to 7.2.2 on Android. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Google Microsoft Information Disclosure
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy