{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24490", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-23T00:38:20.549Z", "datePublished": "2026-01-27T00:40:36.483Z", "dateUpdated": "2026-01-27T14:43:35.345Z"}, "containers": {"cna": {"title": "MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8hf7-h89p-3pqj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8hf7-h89p-3pqj"}, {"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/2b08dd050e7685ee2a14fdbb454affab94129eae", "tags": ["x_refsource_MISC"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/2b08dd050e7685ee2a14fdbb454affab94129eae"}, {"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.5"}], "affected": [{"vendor": "MobSF", "product": "Mobile-Security-Framework-MobSF", "versions": [{"version": "< 4.4.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T00:40:36.483Z"}, "descriptions": [{"lang": "en", "value": "MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The `android:host` attribute from `<data android:scheme=\"android_secret_code\">` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover. Version 4.4.5 fixes the issue."}], "source": {"advisory": "GHSA-8hf7-h89p-3pqj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T14:42:48.599408Z", "id": "CVE-2026-24490", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T14:43:35.345Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24490", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-27T14:42:48.599408Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T14:43:31.128Z"}}], "cna": {"title": "MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field", "source": {"advisory": "GHSA-8hf7-h89p-3pqj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "MobSF", "product": "Mobile-Security-Framework-MobSF", "versions": [{"status": "affected", "version": "< 4.4.5"}]}], "references": [{"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8hf7-h89p-3pqj", "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8hf7-h89p-3pqj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/2b08dd050e7685ee2a14fdbb454affab94129eae", "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/2b08dd050e7685ee2a14fdbb454affab94129eae", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.5", "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The `android:host` attribute from `<data android:scheme=\"android_secret_code\">` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover. Version 4.4.5 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T00:40:36.483Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24490", "state": "PUBLISHED", "dateUpdated": "2026-01-27T14:43:35.345Z", "dateReserved": "2026-01-23T00:38:20.549Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-27T00:40:36.483Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensecurity:mobile_security_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "04FAB846-35D5-4AFD-9F72-AF1DFC072EA9", "versionEndExcluding": "4.4.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The `android:host` attribute from `<data android:scheme=\"android_secret_code\">` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover. Version 4.4.5 fixes the issue."}], "id": "CVE-2026-24490", "lastModified": "2026-02-17T20:36:16.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-27T01:16:02.610", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/2b08dd050e7685ee2a14fdbb454affab94129eae"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.5"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8hf7-h89p-3pqj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:57:35.443343+00:00", "value": {"mitigation_remediation": ["Update MobSF to version 4.4.5 or later, which sanitizes the host field and removes the vulnerability.", "Restrict upload permissions so that only trusted users can submit APKs for analysis, or isolate the analysis environment from the public web interface.", "If a patch cannot be applied immediately, disable or remove the Android manifest analysis feature so that the host attribute is no longer rendered into HTML reports."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting leading to session hijacking and account takeover"}, "threat_synthesis": {"affected_systems": "The issue affects the MobSF Mobile\u2011Security\u2011Framework\u2011MobSF product prior to version 4.4.5. All earlier releases are vulnerable until the 4.4.5 release, which applies the necessary sanitization to the host attribute. Users running any deprecated MobSF build must upgrade to a patched version.", "description_and_impact": "MobSF, a mobile application security testing framework, contains a stored XSS vulnerability (CWE\u201179) in its Android manifest analysis. The flaw arises when the android:host field of <data android:scheme=\"android_secret_code\"> elements is rendered directly into HTML reports without sanitization. An attacker who uploads a crafted APK can cause arbitrary JavaScript to run in the context of a victim\u2019s browser session, allowing session hijacking and account takeover.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity. EPSS is less than 1\u202f%, suggesting a low exploitation probability in the current threat landscape, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path involves an attacker first uploading a malicious APK to the MobSF portal, which triggers the manifest analysis and generates an unsafe report. Successful exploitation then requires the victim to view the generated report in a browser where the injected script can execute."}}}}, "created": "2026-01-27T09:03:01.435045+00:00", "updated": "2026-04-18T15:00:03.452890+00:00", "vendors": ["mobsf", "mobsf$PRODUCT$mobile_security_framework"]}