{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4754", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-03-24T06:02:48.515Z", "datePublished": "2026-03-24T06:03:01.090Z", "dateUpdated": "2026-03-24T13:32:06.967Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T06:03:01.090Z"}, "title": "CWE-79 in MolotovCherry Android-ImageMagick7", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 CWE-79", "type": "CWE"}]}], "affected": [{"vendor": "MolotovCherry", "product": "Android-ImageMagick7", "collectionURL": "https://github.com/MolotovCherry/Android-ImageMagick7", "versions": [{"status": "affected", "version": "0", "lessThan": "7.1.2-11", "versionType": "git"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "CWE-79 vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "CWE-79 vulnerability in MolotovCherry Android-ImageMagick7.<p>This issue affects Android-ImageMagick7: before 7.1.2-11.</p>"}]}], "references": [{"url": "https://github.com/MolotovCherry/Android-ImageMagick7/pull/192", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "credits": [{"lang": "en", "value": "TITAN Team (titancaproject@gmail.com)", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:31:55.175637Z", "id": "CVE-2026-4754", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:32:06.967Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4754", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T13:31:55.175637Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:32:01.528Z"}}], "cna": {"title": "CWE-79 in MolotovCherry Android-ImageMagick7", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MolotovCherry", "product": "Android-ImageMagick7", "versions": [{"status": "affected", "version": "0", "lessThan": "7.1.2-11", "versionType": "git"}], "collectionURL": "https://github.com/MolotovCherry/Android-ImageMagick7", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/MolotovCherry/Android-ImageMagick7/pull/192", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "CWE-79 vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.", "supportingMedia": [{"type": "text/html", "value": "CWE-79 vulnerability in MolotovCherry Android-ImageMagick7.<p>This issue affects Android-ImageMagick7: before 7.1.2-11.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 CWE-79"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T06:03:01.090Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4754", "state": "PUBLISHED", "dateUpdated": "2026-03-24T13:32:06.967Z", "dateReserved": "2026-03-24T06:02:48.515Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-03-24T06:03:01.090Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:molotovcherry:android-imagemagick7:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD4FC35B-5E60-42CC-87A5-71FF393A6EAB", "versionEndExcluding": "7.1.2-11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CWE-79 vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11."}, {"lang": "es", "value": "Vulnerabilidad CWE-79 en MolotovCherry Android-ImageMagick7. Este problema afecta a Android-ImageMagick7: anterior a 7.1.2-11."}], "id": "CVE-2026-4754", "lastModified": "2026-03-26T19:02:47.853", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-03-24T07:16:07.350", "references": [{"source": "cve_disclosure@tech.gov.sg", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/MolotovCherry/Android-ImageMagick7/pull/192"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.1.2-11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Android-ImageMagick7", "source": "cna", "vendor": "MolotovCherry"}, "product": "android-imagemagick7", "vendor": "molotovcherry"}], "analysis": {"en": {"generated_at": "2026-03-26T20:59:22.047844+00:00", "value": {"mitigation_remediation": ["Upgrade the Android\u2011ImageMagick7 library to version 7.1.2\u201111 or later.", "Verify that the application no longer references the vulnerable library version.", "If an upgrade cannot be performed immediately, monitor the vendor's advisory channels for updates and consider disabling the feature that processes external images until a fix is available."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The issue affects users of MolotovCherry's Android\u2011ImageMagick7 version 7.1.2\u201111 and earlier. Any Android application that incorporates the vulnerable library without upgrading is susceptible to the attack. The CPE listed indicates the product, and the vendor explicitly states that versions prior to 7.1.2\u201111 are at risk.", "description_and_impact": "The vulnerability is a cross\u2011site scripting flaw in MolotovCherry's Android\u2011ImageMagick7 library. A malicious image file can contain specially crafted data that, when processed by the library, causes arbitrary JavaScript to be executed in the context of the application or a web view. This enables an attacker to steal sensitive data, hijack sessions or perform other malicious actions, thereby compromising confidentiality and integrity. The weakness is identified as CWE\u201179, an input validation oversight that permits injection of executable script.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a medium severity, while the EPSS score of less than 1% suggests that widespread exploitation is unlikely and the vulnerability is not yet documented in the CISA KEV catalog. Exploitation requires delivery of a malicious image to be processed by the application, which can be achieved remotely or by prompting a user to open a link containing the image. Although not trivial, the impact of successful exploitation is non\u2011negligible."}}}}, "created": "2026-03-24T10:28:46.809854+00:00", "updated": "2026-03-27T09:21:14.323256+00:00", "vendors": ["molotovcherry", "molotovcherry$PRODUCT$android-imagemagick7"]}