Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Scripting (XSS) in GeniexWebView component in Transsion AI Assistant Lifestyle application (com.transsion.aiassistantlifestyle) all versions on Android allows remote attacker to execute arbitrary JavaScript in the WebView context via crafted web_action_data URL parameter.
AnalysisAI
Cross-site scripting in the GeniexWebView component of Transsion's AI Assistant Lifestyle Android application (com.transsion.aiassistantlifestyle) enables unauthenticated remote attackers to execute arbitrary JavaScript within the app's WebView context by delivering a crafted web_action_data URL parameter to a victim. The Changed scope (S:C) in the CVSS vector indicates impact crosses the originating component boundary - a meaningful risk in Android WebViews where JavaScript-to-native bridges may be exposed. No public exploit identified at time of analysis, and the EPSS score of 0.12% at the 31st percentile signals low current exploitation interest.
Technical ContextAI
The GeniexWebView component is an embedded Android WebView within TECNO Mobile's AI Assistant Lifestyle app (CPE: cpe:2.3:a:tecno_mobile:com.transsion.aiassistantlifestyle:*:*:*:*:*:*:*:*). Android WebViews render web content inside a native app context and can, when misconfigured, expose JavaScript interface bridges (addJavascriptInterface) that grant injected scripts access to device APIs or sensitive app internals. The root cause is CWE-79 - improper neutralization of user-supplied input (specifically the web_action_data URL parameter) before it is rendered in the WebView. Because the CVSS scope is Changed, the injected script's impact is assessed to reach beyond the WebView sandbox into adjacent app or system resources, a common risk when WebViews bridge to native Android code.
RemediationAI
No vendor-released patched version is independently confirmed from the available reference data - the TECNO Mobile SRC advisory page (https://security.tecno.com/SRC/securityUpdates) should be consulted directly for the latest patch status and specific fixed version details. Users of com.transsion.aiassistantlifestyle should monitor the Google Play Store for an updated release from TECNO Mobile and apply any available update immediately. As a compensating control pending a patch, users should avoid interacting with unsolicited or untrusted URLs that may be processed by the AI Assistant Lifestyle app. Enterprise MDM administrators managing TECNO device fleets should consider disabling or restricting the AI Assistant Lifestyle app via policy until a confirmed fix version is available. Note that restricting the app may impact its core functionality.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33874
GHSA-56gg-pgfw-2rpm