Skip to main content

Moovit Transit App EUVD-2026-36668

| CVE-2026-12189 LOW
Improper Authorization in Handler for Custom URL Scheme (CWE-939)
2026-06-14 VulDB GHSA-g5v4-4fxp-3rxp
Google Information Disclosure Bus Public Transit App
1.9
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
1.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Local vector with low-privilege co-resident app required; limited confidentiality, integrity, and availability impact; no scope change to other system components.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Jun 14, 2026 - 23:22 NVD
MEDIUM LOW
CVSS changed
Jun 14, 2026 - 23:22 NVD
4.8 (MEDIUM) 1.9 (LOW)
Analysis Generated
Jun 14, 2026 - 23:13 vuln.today
CVE Published
Jun 14, 2026 - 22:30 cve.org
MEDIUM 4.8

DescriptionCVE.org

A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android. This affects an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in handler for custom url scheme. The attack can only be executed locally. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Improper authorization in Moovit Bus & Public Transit App 1.18 on Android exposes the com.tranzmate custom URL scheme handler to invocation by any locally installed application without proper authorization checks, enabling information disclosure and limited unauthorized manipulation of app functionality. The vulnerability is classified as CWE-939 and is restricted to local attack vectors, meaning a co-resident malicious application on the same Android device is required to trigger it. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Distribute malicious Android app
Delivery
Victim installs malicious app
Exploit
Craft Intent targeting com.tranzmate scheme
Execution
Invoke unauthorized URL scheme handler
Impact
Extract disclosed transit/user data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker control a second application installed on the same Android device as Moovit Bus & Public Transit App 1.18 - this is the concrete prerequisite derived from the local attack vector (AV:L) and low-privilege requirement (PR:L in CVSS 4.0). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 4.8 (Medium) with vector AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L reflects a locally-exploitable flaw with low complexity and limited impact across all three impact dimensions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor distributes a malicious Android application - potentially via sideloading or a third-party app store - that, once installed on the victim's device, silently sends a crafted Intent targeting the com.tranzmate custom URL scheme handler in Moovit. Because the handler does not enforce authorization on the calling application, it processes the request and may return or expose transit account data, session tokens, or route information to the malicious app. …
Remediation No vendor-released patch has been identified at time of analysis; the vendor did not respond to the responsible disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-36668 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy