CWE-926
AllowedImproper Export of Android Application Components
Abstraction: Variant · Status: Incomplete
The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.
147 vulnerabilities reference this CWE, most recent first.
GHSA-M5WR-8MCJ-V838
Vulnerability from github – Published: 2024-03-05 00:31 – Updated: 2024-03-05 00:31An improper export vulnerability was reported in the Motorola OTA update application, that could allow a malicious, local application to inject an HTML-based message on screen UI.
{
"affected": [],
"aliases": [
"CVE-2023-41827"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-04T22:15:46Z",
"severity": "MODERATE"
},
"details": "An improper export vulnerability was reported in the Motorola OTA update application, that could allow a malicious, local application to inject an HTML-based message on screen UI.",
"id": "GHSA-m5wr-8mcj-v838",
"modified": "2024-03-05T00:31:14Z",
"published": "2024-03-05T00:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41827"
},
{
"type": "WEB",
"url": "https://en-us.support.motorola.com/app/answers/detail/a_id/178273"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MVF8-P3F9-3X6G
Vulnerability from github – Published: 2025-09-19 15:31 – Updated: 2025-09-19 15:31A vulnerability has been found in intsig CamScanner App 6.91.1.5.250711 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.intsig.camscanner. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-10717"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T15:15:48Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in intsig CamScanner App 6.91.1.5.250711 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.intsig.camscanner. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-mvf8-p3f9-3x6g",
"modified": "2025-09-19T15:31:09Z",
"published": "2025-09-19T15:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10717"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.intsig.camscanner.md"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.intsig.camscanner.md#steps-to-reproduce"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.325008"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.325008"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.645010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MVXC-WC9G-RG5V
Vulnerability from github – Published: 2025-09-19 15:31 – Updated: 2025-09-19 15:31A flaw has been found in Creality Cloud App up to 6.1.0 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.cxsw.sdprinter. Executing manipulation can lead to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-10716"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T15:15:46Z",
"severity": "MODERATE"
},
"details": "A flaw has been found in Creality Cloud App up to 6.1.0 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.cxsw.sdprinter. Executing manipulation can lead to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-mvxc-wc9g-rg5v",
"modified": "2025-09-19T15:31:09Z",
"published": "2025-09-19T15:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10716"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.cxsw.sdprinter.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.325007"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.325007"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.645009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P54X-GRMR-9GW6
Vulnerability from github – Published: 2024-05-03 15:30 – Updated: 2024-05-03 15:30A an improper export vulnerability was reported in the Motorola Setup application that could allow a local attacker to read sensitive user information.
{
"affected": [],
"aliases": [
"CVE-2023-41821"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T14:15:09Z",
"severity": "MODERATE"
},
"details": "\nA an improper export vulnerability was reported in the Motorola Setup application that could allow a local attacker to read sensitive user information.\u00a0\n\n",
"id": "GHSA-p54x-grmr-9gw6",
"modified": "2024-05-03T15:30:52Z",
"published": "2024-05-03T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41821"
},
{
"type": "WEB",
"url": "https://en-us.support.motorola.com/app/answers/detail/a_id/178879"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P6MF-3J29-C4MM
Vulnerability from github – Published: 2025-07-21 21:31 – Updated: 2025-07-21 21:31A vulnerability was found in Genshin Albedo Cat House App 1.0.2 on Android. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.house.auscat. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-7940"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-21T21:15:27Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Genshin Albedo Cat House App 1.0.2 on Android. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.house.auscat. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-p6mf-3j29-c4mm",
"modified": "2025-07-21T21:31:42Z",
"published": "2025-07-21T21:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7940"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.house.auscat.md"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.house.auscat.md#video-proof-of-concept"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.317077"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.317077"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.619036"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PH47-HPX7-MGHQ
Vulnerability from github – Published: 2025-07-20 15:30 – Updated: 2025-07-20 15:30A vulnerability was found in CallApp Caller ID App up to 2.0.4 on Android. It has been classified as problematic. Affected is an unknown function of the file AndroidManifest.xml of the component caller.id.phone.number.block. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-7889"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-20T13:15:23Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in CallApp Caller ID App up to 2.0.4 on Android. It has been classified as problematic. Affected is an unknown function of the file AndroidManifest.xml of the component caller.id.phone.number.block. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-ph47-hpx7-mghq",
"modified": "2025-07-20T15:30:27Z",
"published": "2025-07-20T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7889"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/caller.id.phone.number.block.md"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/caller.id.phone.number.block.md#steps-to-reproduce"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.317004"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.317004"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.615250"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PW53-33FX-VF55
Vulnerability from github – Published: 2025-05-30 18:31 – Updated: 2025-10-03 09:30An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.android.providers.settings.fingerprint.PriFpShareProvider“ content provider's public method query() allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code.
Vendor did not provide information about vulnerable versions. Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-13916"
],
"database_specific": {
"cwe_ids": [
"CWE-497",
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-30T16:15:36Z",
"severity": "MODERATE"
},
"details": "An\u00a0application \"com.pri.applock\", which is pre-loaded on\u00a0Kruger\u0026Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.\nExposed \u201dcom.android.providers.settings.fingerprint.PriFpShareProvider\u201c content provider\u0027s public method query() allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code.\n\nVendor did not provide information about vulnerable versions.\nOnly version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability",
"id": "GHSA-pw53-33fx-vf55",
"modified": "2025-10-03T09:30:19Z",
"published": "2025-05-30T18:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13916"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2025/05/CVE-2024-13915"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PXQ2-RVHG-7CP9
Vulnerability from github – Published: 2025-07-17 15:32 – Updated: 2025-07-17 15:32Bluebird devices contain a pre-loaded kiosk application. This application exposes an unsecured service provider "com.bluebird.kiosk.launcher.IpartnerKioskRemoteService". A local attacker can bind to the AIDL-type service to modify device's global settings and wallpaper image.
This issue affects all versions before 1.1.2.
{
"affected": [],
"aliases": [
"CVE-2025-5344"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-17T13:15:23Z",
"severity": "HIGH"
},
"details": "Bluebird devices contain a pre-loaded kiosk application. This application exposes an unsecured service provider \"com.bluebird.kiosk.launcher.IpartnerKioskRemoteService\". A local attacker can bind to the AIDL-type service to modify device\u0027s global settings and wallpaper image.\n\nThis issue affects all versions before 1.1.2.",
"id": "GHSA-pxq2-rvhg-7cp9",
"modified": "2025-07-17T15:32:14Z",
"published": "2025-07-17T15:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5344"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2025/07/CVE-2025-5344"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q2QR-VVQ7-PH4V
Vulnerability from github – Published: 2025-08-03 15:30 – Updated: 2025-08-03 15:30A vulnerability, which was classified as problematic, was found in Caixin News App 8.0.1 on Android. Affected is an unknown function of the file AndroidManifest.xml of the component com.caixin.news. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-8513"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-03T15:15:38Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as problematic, was found in Caixin News App 8.0.1 on Android. Affected is an unknown function of the file AndroidManifest.xml of the component com.caixin.news. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-q2qr-vvq7-ph4v",
"modified": "2025-08-03T15:30:26Z",
"published": "2025-08-03T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8513"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.caixin.news.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.318612"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.318612"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.619029"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q8P5-49QG-M9WX
Vulnerability from github – Published: 2025-02-03 18:30 – Updated: 2025-02-05 18:34The com.enflick.android.TextNow (aka TextNow: Call + Text Unlimited) application 24.17.0.2 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.enflick.android.TextNow.activities.DialerActivity component.
{
"affected": [],
"aliases": [
"CVE-2024-36437"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-03T18:15:33Z",
"severity": "MODERATE"
},
"details": "The com.enflick.android.TextNow (aka TextNow: Call + Text Unlimited) application 24.17.0.2 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.enflick.android.TextNow.activities.DialerActivity component.",
"id": "GHSA-q8p5-49qg-m9wx",
"modified": "2025-02-05T18:34:44Z",
"published": "2025-02-03T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36437"
},
{
"type": "WEB",
"url": "https://github.com/actuator/com.enflick.android.TextNow/blob/main/CVE-2024-36437"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=com.enflick.android.TextNow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Attack Surface Reduction
If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.
Mitigation
Strategy: Attack Surface Reduction
If you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you.
Mitigation
Strategy: Attack Surface Reduction
Limit Content Provider permissions (read/write) as appropriate.
Mitigation
Strategy: Separation of Privilege
Limit Content Provider permissions (read/write) as appropriate.
No CAPEC attack patterns related to this CWE.