Common Weakness Enumeration

CWE-926

Allowed

Improper Export of Android Application Components

Abstraction: Variant · Status: Incomplete

The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

147 vulnerabilities reference this CWE, most recent first.

GHSA-HJ3F-9Q6F-GR63

Vulnerability from github – Published: 2025-08-29 21:32 – Updated: 2025-08-29 21:32
VLAI
Details

A vulnerability was identified in NCSOFT Universe App up to 1.3.0. Impacted is an unknown function of the file AndroidManifest.xml of the component com.ncsoft.universeapp. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9676"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-29T21:15:37Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in NCSOFT Universe App up to 1.3.0. Impacted is an unknown function of the file AndroidManifest.xml of the component com.ncsoft.universeapp. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-hj3f-9q6f-gr63",
  "modified": "2025-08-29T21:32:02Z",
  "published": "2025-08-29T21:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9676"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.ncsoft.universeapp.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.ncsoft.universeapp.md#steps-to-reproduce"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.321888"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.321888"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.638074"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HR3F-Q8MM-3JM3

Vulnerability from github – Published: 2025-08-09 06:30 – Updated: 2025-08-09 06:30
VLAI
Details

A vulnerability, which was classified as problematic, has been found in Weee RICEPO App 6.17.77 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.ricepo.app. The manipulation leads to improper export of android application components. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-09T05:15:29Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, has been found in Weee RICEPO App 6.17.77 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.ricepo.app. The manipulation leads to improper export of android application components. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-hr3f-q8mm-3jm3",
  "modified": "2025-08-09T06:30:28Z",
  "published": "2025-08-09T06:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8745"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.ricepo.app.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.ricepo.app.md#steps-to-reproduce"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.319241"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.319241"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.623581"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HV33-W2JR-7Q49

Vulnerability from github – Published: 2025-07-20 15:30 – Updated: 2025-07-20 15:30
VLAI
Details

A vulnerability classified as problematic has been found in IDnow App up to 9.6.0 on Android. This affects an unknown part of the file AndroidManifest.xml of the component de.idnow. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-20T14:15:28Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic has been found in IDnow App up to 9.6.0 on Android. This affects an unknown part of the file AndroidManifest.xml of the component de.idnow. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-hv33-w2jr-7q49",
  "modified": "2025-07-20T15:30:27Z",
  "published": "2025-07-20T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7892"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/de.idnow.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/de.idnow.md#steps-to-reproduce"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.317007"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.317007"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.615279"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HV63-3J99-P668

Vulnerability from github – Published: 2025-08-08 03:31 – Updated: 2025-08-08 03:31
VLAI
Details

A vulnerability was found in Huuge Box App 1.0.3 on Android. It has been classified as problematic. This affects an unknown part of the file AndroidManifest.xml of the component com.huuge.game.zjbox. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8707"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-08T03:15:25Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Huuge Box App 1.0.3 on Android. It has been classified as problematic. This affects an unknown part of the file AndroidManifest.xml of the component com.huuge.game.zjbox. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-hv63-3j99-p668",
  "modified": "2025-08-08T03:31:50Z",
  "published": "2025-08-08T03:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8707"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.huuge.game.zjbox.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.huuge.game.zjbox.md#steps-to-reproduce"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.319137"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.319137"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.619858"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HXX7-8JPF-2VG3

Vulnerability from github – Published: 2023-03-24 21:30 – Updated: 2023-03-28 21:30
VLAI
Details

In getSliceEndItem of MediaVolumePreferenceController.java, there is a possible way to start foreground activity from the background due to an unsafe PendingIntent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-256590210

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20962"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-24T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In getSliceEndItem of MediaVolumePreferenceController.java, there is a possible way to start foreground activity from the background due to an unsafe PendingIntent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-256590210",
  "id": "GHSA-hxx7-8jpf-2vg3",
  "modified": "2023-03-28T21:30:21Z",
  "published": "2023-03-24T21:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20962"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2023-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J4M8-7J2F-9V62

Vulnerability from github – Published: 2025-07-26 21:31 – Updated: 2025-07-26 21:31
VLAI
Details

A vulnerability was found in Canara ai1 Mobile Banking App 3.6.23 on Android and classified as problematic. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.canarabank.mobility. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8207"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-26T20:15:24Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Canara ai1 Mobile Banking App 3.6.23 on Android and classified as problematic. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.canarabank.mobility. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-j4m8-7j2f-9v62",
  "modified": "2025-07-26T21:31:13Z",
  "published": "2025-07-26T21:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8207"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.canarabank.mobility.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.317777"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.317777"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.615777"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J5HX-W4CQ-6522

Vulnerability from github – Published: 2026-05-07 01:05 – Updated: 2026-05-11 15:32
VLAI
Details

Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T22:16:25Z",
    "severity": "MODERATE"
  },
  "details": "Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities.",
  "id": "GHSA-j5hx-w4cq-6522",
  "modified": "2026-05-11T15:32:08Z",
  "published": "2026-05-07T01:05:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3291"
    },
    {
      "type": "WEB",
      "url": "https://support.hp.com/us-en/document/ish_14864662-14864690-16/hpsbgn04093"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-JFVJ-X4V5-JGQR

Vulnerability from github – Published: 2025-08-29 21:32 – Updated: 2026-04-29 04:12
VLAI
Details

A vulnerability was detected in Kakao 헤이카카오 Hey Kakao App up to 2.17.4 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.kakao.i.connect. The manipulation results in improper export of android application components. The attack requires a local approach. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9673"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-29T20:15:36Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was detected in Kakao \ud5e4\uc774\uce74\uce74\uc624 Hey Kakao App up to 2.17.4 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.kakao.i.connect. The manipulation results in improper export of android application components. The attack requires a local approach. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-jfvj-x4v5-jgqr",
  "modified": "2026-04-29T04:12:13Z",
  "published": "2025-08-29T21:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9673"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.kakao.i.connect.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.kakao.i.connect.md#steps-to-reproduce"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.321883"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.321883"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.637925"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-JXGF-P72G-V48G

Vulnerability from github – Published: 2025-12-11 15:30 – Updated: 2026-04-29 04:13
VLAI
Details

A vulnerability was determined in Yalantis uCrop 2.2.11. This affects the function UCropActivity  of the file AndroidManifest.xml. Executing manipulation can lead to improper export of android application components. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-11T14:16:20Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was determined in Yalantis uCrop 2.2.11. This affects the function UCropActivity\u00a0 of the file AndroidManifest.xml. Executing manipulation can lead to improper export of android application components. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-jxgf-p72g-v48g",
  "modified": "2026-04-29T04:13:36Z",
  "published": "2025-12-11T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14517"
    },
    {
      "type": "WEB",
      "url": "https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446#469832583e0444dcb3d08b0ca661d1c6"
    },
    {
      "type": "WEB",
      "url": "https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446?source=copy_link"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.335855"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.335855"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.702811"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-M427-85JP-939V

Vulnerability from github – Published: 2025-08-18 00:30 – Updated: 2025-08-18 00:30
VLAI
Details

A security vulnerability has been detected in BuzzFeed App 2024.9 on Android. This affects an unknown part of the file AndroidManifest.xml of the component com.buzzfeed.android. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9093"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-17T22:15:25Z",
    "severity": "MODERATE"
  },
  "details": "A security vulnerability has been detected in BuzzFeed App 2024.9 on Android. This affects an unknown part of the file AndroidManifest.xml of the component com.buzzfeed.android. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-m427-85jp-939v",
  "modified": "2025-08-18T00:30:30Z",
  "published": "2025-08-18T00:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9093"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.buzzfeed.android.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.buzzfeed.android.md#steps-to-reproduce"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.320415"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.320415"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.623584"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Build and Compilation

Strategy: Attack Surface Reduction

If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.

Mitigation
Build and Compilation

Strategy: Attack Surface Reduction

If you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you.

Mitigation
Build and Compilation Architecture and Design

Strategy: Attack Surface Reduction

Limit Content Provider permissions (read/write) as appropriate.

Mitigation
Build and Compilation Architecture and Design

Strategy: Separation of Privilege

Limit Content Provider permissions (read/write) as appropriate.

No CAPEC attack patterns related to this CWE.