Common Weakness Enumeration

CWE-926

Allowed

Improper Export of Android Application Components

Abstraction: Variant · Status: Incomplete

The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

147 vulnerabilities reference this CWE, most recent first.

GHSA-3MMP-9XR2-4Q46

Vulnerability from github – Published: 2025-07-28 06:30 – Updated: 2025-07-28 06:30
VLAI
Details

A vulnerability classified as problematic was found in Lobby Universe Lobby App up to 2.8.0 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.maverick.lobby. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8257"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-28T05:16:20Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic was found in Lobby Universe Lobby App up to 2.8.0 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.maverick.lobby. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-3mmp-9xr2-4q46",
  "modified": "2025-07-28T06:30:23Z",
  "published": "2025-07-28T06:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8257"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.maverick.lobby.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.317845"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.317845"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.623471"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3P6Q-H5PG-FCV3

Vulnerability from github – Published: 2026-01-08 21:30 – Updated: 2026-01-09 00:30
VLAI
Details

Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15464"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-08T21:15:42Z",
    "severity": "HIGH"
  },
  "details": "Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls.",
  "id": "GHSA-3p6q-h5pg-fcv3",
  "modified": "2026-01-09T00:30:28Z",
  "published": "2026-01-08T21:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15464"
    },
    {
      "type": "WEB",
      "url": "https://korelogic.com/Resources/Advisories/KL-001-2026-001.poc.js.txt"
    },
    {
      "type": "WEB",
      "url": "https://korelogic.com/Resources/Advisories/KL-001-2026-001.txt"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2026/Jan/12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5H8R-8RXQ-RW39

Vulnerability from github – Published: 2025-08-29 21:32 – Updated: 2025-08-29 21:32
VLAI
Details

A weakness has been identified in UAB Paytend App up to 2.1.9 on Android. This impacts an unknown function of the file AndroidManifest.xml of the component com.passport.cash. Executing manipulation can lead to improper export of android application components. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9671"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-29T20:15:35Z",
    "severity": "MODERATE"
  },
  "details": "A weakness has been identified in UAB Paytend App up to 2.1.9 on Android. This impacts an unknown function of the file AndroidManifest.xml of the component com.passport.cash. Executing manipulation can lead to improper export of android application components. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-5h8r-8rxq-rw39",
  "modified": "2025-08-29T21:32:02Z",
  "published": "2025-08-29T21:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9671"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.passport.cash.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.passport.cash.md#steps-to-reproduce"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.321881"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.321881"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.637922"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5HCV-FV69-MQ6H

Vulnerability from github – Published: 2023-05-04 21:30 – Updated: 2024-04-04 03:48
VLAI
Details

Improper export of android application components vulnerability in ImagePreviewActivity in Call Settings to SMR May-2023 Release 1 allows physical attackers to access some media data stored in sandbox.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21486"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-04T21:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Improper export of android application components vulnerability in ImagePreviewActivity in Call Settings to SMR May-2023 Release 1 allows physical attackers to access some media data stored in sandbox.",
  "id": "GHSA-5hcv-fv69-mq6h",
  "modified": "2024-04-04T03:48:20Z",
  "published": "2023-05-04T21:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21486"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2023\u0026month=05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5JV9-6P43-2V8W

Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-16 15:33
VLAI
Details

An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T20:16:24Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app\u0027s scoped storage. The resulting files appear in the application\u0027s trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.",
  "id": "GHSA-5jv9-6p43-2v8w",
  "modified": "2026-06-16T15:33:43Z",
  "published": "2026-06-15T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68713"
    },
    {
      "type": "WEB",
      "url": "https://github.com/actuator/com.estmob.android.sendanywhere/blob/main/CVE-2025-68713"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6VQF-8QMC-RJR8

Vulnerability from github – Published: 2026-07-03 03:34 – Updated: 2026-07-03 03:34
VLAI
Details

An Improper Export of Android Application Components vulnerability in ASUS Router App allows a third-party application on the same device to send a crafted Intent that causes ASUS Router App to open an specified URL. Refer to the ' Security Update for ASUS Router Android App ' section on the ASUS Security Advisory for more information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12960"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-03T03:16:23Z",
    "severity": "MODERATE"
  },
  "details": "An Improper Export of Android Application Components vulnerability in ASUS Router App allows a third-party application on the same device to send a crafted Intent that causes ASUS Router App to open an specified URL.\nRefer to the \u0027\nSecurity Update for ASUS Router Android App\u00a0\u0027 section on the ASUS Security Advisory for more information.",
  "id": "GHSA-6vqf-8qmc-rjr8",
  "modified": "2026-07-03T03:34:13Z",
  "published": "2026-07-03T03:34:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12960"
    },
    {
      "type": "WEB",
      "url": "https://www.asus.com/security-advisory"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6XW2-CP28-PGVR

Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-12 18:30
VLAI
Details

A improper export of android application components vulnerability in Fortinet FortiTokenAndroid 6.2 all versions, FortiTokenAndroid 6.1 all versions, FortiTokenAndroid 5.2 all versions may allow attacker to improper access control via

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44279"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-12T18:17:30Z",
    "severity": "MODERATE"
  },
  "details": "A improper export of android application components vulnerability in Fortinet FortiTokenAndroid 6.2 all versions, FortiTokenAndroid 6.1 all versions, FortiTokenAndroid 5.2 all versions may allow attacker to improper access control via \u003cinsert attack vector here\u003e",
  "id": "GHSA-6xw2-cp28-pgvr",
  "modified": "2026-05-12T18:30:47Z",
  "published": "2026-05-12T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44279"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-130"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7FPQ-MJ6W-QX3H

Vulnerability from github – Published: 2025-08-29 21:32 – Updated: 2025-08-29 21:32
VLAI
Details

A security vulnerability has been detected in Rejseplanen App up to 8.2.2. Affected is an unknown function of the file AndroidManifest.xml of the component de.hafas.android.rejseplanen. The manipulation leads to improper export of android application components. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9672"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-29T20:15:35Z",
    "severity": "MODERATE"
  },
  "details": "A security vulnerability has been detected in Rejseplanen App up to 8.2.2. Affected is an unknown function of the file AndroidManifest.xml of the component de.hafas.android.rejseplanen. The manipulation leads to improper export of android application components. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-7fpq-mj6w-qx3h",
  "modified": "2025-08-29T21:32:02Z",
  "published": "2025-08-29T21:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9672"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/de.hafas.android.rejseplanen.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/de.hafas.android.rejseplanen.md#steps-to-reproduce"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.321882"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.321882"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.637924"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-89VX-M8MC-P558

Vulnerability from github – Published: 2025-05-30 18:31 – Updated: 2025-06-10 12:30
VLAI
Details

An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.pri.applock.LockUI“ activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting CVE-2024-13916) or ask the user to provide it.

Vendor did not provide information about vulnerable versions. Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13917"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-30T16:15:36Z",
    "severity": "HIGH"
  },
  "details": "An\u00a0application \"com.pri.applock\", which is pre-loaded on\u00a0Kruger\u0026Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.\nExposed \u201dcom.pri.applock.LockUI\u201c activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting\u00a0CVE-2024-13916) or ask the user to provide it.\n\nVendor did not provide information about vulnerable versions.\nOnly version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability",
  "id": "GHSA-89vx-m8mc-p558",
  "modified": "2025-06-10T12:30:18Z",
  "published": "2025-05-30T18:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13917"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2025/05/CVE-2024-13915"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8F5W-JQH8-G6PV

Vulnerability from github – Published: 2025-09-19 15:31 – Updated: 2025-09-19 15:31
VLAI
Details

A security flaw has been discovered in APEUni PTE Exam Practice App up to 10.8.0 on Android. The impacted element is an unknown function of the file AndroidManifest.xml of the component com.ape_edication. The manipulation results in improper export of android application components. The attack requires a local approach. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10715"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-19T14:15:44Z",
    "severity": "MODERATE"
  },
  "details": "A security flaw has been discovered in APEUni PTE Exam Practice App up to 10.8.0 on Android. The impacted element is an unknown function of the file AndroidManifest.xml of the component com.ape_edication. The manipulation results in improper export of android application components. The attack requires a local approach. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-8f5w-jqh8-g6pv",
  "modified": "2025-09-19T15:31:08Z",
  "published": "2025-09-19T15:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10715"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.ape_edication.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.ape_edication.md#steps-to-reproduce"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.325003"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.325003"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.645006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Build and Compilation

Strategy: Attack Surface Reduction

If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.

Mitigation
Build and Compilation

Strategy: Attack Surface Reduction

If you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you.

Mitigation
Build and Compilation Architecture and Design

Strategy: Attack Surface Reduction

Limit Content Provider permissions (read/write) as appropriate.

Mitigation
Build and Compilation Architecture and Design

Strategy: Separation of Privilege

Limit Content Provider permissions (read/write) as appropriate.

No CAPEC attack patterns related to this CWE.