{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20976", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "state": "PUBLISHED", "assignerShortName": "SamsungMobile", "dateReserved": "2025-12-11T01:33:35.799Z", "datePublished": "2026-01-09T06:17:10.980Z", "dateUpdated": "2026-01-09T19:10:00.532Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-20: Improper Input Validation"}]}], "affected": [{"vendor": "Samsung Mobile", "product": "Galaxy Store", "versions": [{"status": "unaffected", "version": "4.6.02"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Improper input validation in Galaxy Store prior to version 4.6.02 allows local attacker to execute arbitrary script."}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=01"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-01-09T06:17:10.980Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T19:08:14.243909Z", "id": "CVE-2026-20976", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:10:00.532Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20976", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T19:08:14.243909Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:09:58.307Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "Samsung Mobile", "product": "Galaxy Store", "versions": [{"status": "unaffected", "version": "4.6.02"}], "defaultStatus": "affected"}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=01"}], "descriptions": [{"lang": "en", "value": "Improper input validation in Galaxy Store prior to version 4.6.02 allows local attacker to execute arbitrary script."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-01-09T06:17:10.980Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20976", "state": "PUBLISHED", "dateUpdated": "2026-01-09T19:10:00.532Z", "dateReserved": "2025-12-11T01:33:35.799Z", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "datePublished": "2026-01-09T06:17:10.980Z", "assignerShortName": "SamsungMobile"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samsung:galaxy_store:*:*:*:*:*:*:*:*", "matchCriteriaId": "78296F2B-472E-4071-998A-C387B773560C", "versionEndExcluding": "4.6.02.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper input validation in Galaxy Store prior to version 4.6.02 allows local attacker to execute arbitrary script."}], "id": "CVE-2026-20976", "lastModified": "2026-01-15T19:43:57.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mobile.security@samsung.com", "type": "Secondary"}]}, "published": "2026-01-09T07:16:04.263", "references": [{"source": "mobile.security@samsung.com", "tags": ["Vendor Advisory"], "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=01"}], "sourceIdentifier": "mobile.security@samsung.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T19:16:53.741421+00:00", "value": {"mitigation_remediation": ["Update Galaxy Store to version 4.6.02 or later as released by Samsung.", "If an update cannot be applied immediately, uninstall or disable any older Galaxy Store installations that contain the vulnerability.", "Enforce local device security controls to restrict script execution permissions and monitor for anomalous script activity until the patch is applied."], "summary": {"action": "Apply Patch", "impact": "Local Script Execution"}, "threat_synthesis": {"affected_systems": "Samsung Mobile\u2019s Galaxy Store application, specifically versions culminating in 4.6.02 and earlier. The issue is confined to installations of the Store prior to the 4.6.02 release, although the specific patch version that removes the flaw is not listed in the provided data.", "description_and_impact": "This vulnerability arises from improper input validation in the Galaxy Store application, allowing a local attacker to execute arbitrary scripts. The weakness is characterized as an input validation fault, which can lead to unauthorized code execution and compromise the integrity of the affected device. The impact is limited to devices running an affected version of the Galaxy Store, as no remote or network-based exploitation path is described.", "risk_and_exploitability": "The CVSS v3 score of 5.1 classifies the flaw as medium severity, and the EPSS score of less than 1% indicates a low probability of exploitation. Because the attack requires local presence on the device, the scope is limited to users who can physically access or control the device. No indication exists that the vulnerability has been actively exploited in the wild or is listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Thus, the immediate risk to most users remains moderate, contingent upon the likelihood of local compromise."}}}}, "created": "2026-01-09T13:23:49.002326+00:00", "title": "Local Script Execution via Improper Input Validation in Galaxy Store", "updated": "2026-04-18T19:30:08.953444+00:00", "vendors": ["samsung", "samsung$PRODUCT$galaxy_store"]}