Is there a public PoC exploit available for EUVD-2026-18599?

Yes, a public proof-of-concept exploit is available for EUVD-2026-18599. Prioritise patching immediately. EPSS: 0.0%.

Google EUVD-2026-18599

Q: What is the CVSS score of EUVD-2026-18599?

EUVD-2026-18599 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-5454 LOW

Use of Hard-coded Cryptographic Key (CWE-321)

2026-04-03 VulDB

GHSA-v55w-28r9-q537

Google Information Disclosure

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

PoC Detected

Apr 03, 2026 - 16:10 vuln.today

Public exploit code

EUVD ID Assigned

Apr 03, 2026 - 05:15 euvd

EUVD-2026-18599

Analysis Generated

Apr 03, 2026 - 05:15 vuln.today

CVE Published

Apr 03, 2026 - 04:45 nvd

LOW 1.9

DescriptionCVE.org

A vulnerability was found in GRID Organiser App up to 1.0.5 on Android. Impacted is an unknown function of the file file res/raw/app.json of the component co.gridapp.organiser. Performing a manipulation of the argument SegmentWriteKey results in use of hard-coded cryptographic key . The attack is only possible with local access. The exploit has been made public and could be used.

AnalysisAI

GRID Organiser App versions 1.0.0 through 1.0.5 on Android expose a hard-coded cryptographic key used for the SegmentWriteKey parameter in the res/raw/app.json component file, enabling local attackers with user-level privileges to manipulate argument values and potentially perform data injection and user profile manipulation. The vulnerability has a CVSS v4.0 score of 1.9 with low confidentiality impact, requires local access and low privileges, and publicly available exploit code exists, though active exploitation has not been confirmed by CISA.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents minimal real-world risk despite public exploit availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with physical access to an Android device or an app distribution compromise can extract the APK, decompile it to access res/raw/app.json, recover the hard-coded Segment write key, and use it to craft malicious API requests that inject or manipulate user event data or profile information sent to the Segment analytics backend. Publicly available exploit code (linked via Notion document in references) demonstrates the key extraction and data manipulation process, allowing a technically knowledgeable local attacker to perform this attack without sophisticated tools or deep reverse-engineering skill.
Remediation	Users should update GRID Organiser App to a version newer than 1.0.5 once available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-18599 vulnerability details – vuln.today

Back