Common Weakness Enumeration

CWE-926

Allowed

Improper Export of Android Application Components

Abstraction: Variant · Status: Incomplete

The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

147 vulnerabilities reference this CWE, most recent first.

GHSA-M5WR-8MCJ-V838

Vulnerability from github – Published: 2024-03-05 00:31 – Updated: 2024-03-05 00:31
VLAI
Details

An improper export vulnerability was reported in the Motorola OTA update application, that could allow a malicious, local application to inject an HTML-based message on screen UI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41827"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-04T22:15:46Z",
    "severity": "MODERATE"
  },
  "details": "An improper export vulnerability was reported in the Motorola OTA update application, that could allow a malicious, local application to inject an HTML-based message on screen UI.",
  "id": "GHSA-m5wr-8mcj-v838",
  "modified": "2024-03-05T00:31:14Z",
  "published": "2024-03-05T00:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41827"
    },
    {
      "type": "WEB",
      "url": "https://en-us.support.motorola.com/app/answers/detail/a_id/178273"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MVF8-P3F9-3X6G

Vulnerability from github – Published: 2025-09-19 15:31 – Updated: 2025-09-19 15:31
VLAI
Details

A vulnerability has been found in intsig CamScanner App 6.91.1.5.250711 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.intsig.camscanner. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-19T15:15:48Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in intsig CamScanner App 6.91.1.5.250711 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.intsig.camscanner. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-mvf8-p3f9-3x6g",
  "modified": "2025-09-19T15:31:09Z",
  "published": "2025-09-19T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10717"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.intsig.camscanner.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.intsig.camscanner.md#steps-to-reproduce"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.325008"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.325008"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.645010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MVXC-WC9G-RG5V

Vulnerability from github – Published: 2025-09-19 15:31 – Updated: 2025-09-19 15:31
VLAI
Details

A flaw has been found in Creality Cloud App up to 6.1.0 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.cxsw.sdprinter. Executing manipulation can lead to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10716"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-19T15:15:46Z",
    "severity": "MODERATE"
  },
  "details": "A flaw has been found in Creality Cloud App up to 6.1.0 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.cxsw.sdprinter. Executing manipulation can lead to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-mvxc-wc9g-rg5v",
  "modified": "2025-09-19T15:31:09Z",
  "published": "2025-09-19T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10716"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.cxsw.sdprinter.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.325007"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.325007"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.645009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P54X-GRMR-9GW6

Vulnerability from github – Published: 2024-05-03 15:30 – Updated: 2024-05-03 15:30
VLAI
Details

A an improper export vulnerability was reported in the Motorola Setup application that could allow a local attacker to read sensitive user information. 

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T14:15:09Z",
    "severity": "MODERATE"
  },
  "details": "\nA an improper export vulnerability was reported in the Motorola Setup application that could allow a local attacker to read sensitive user information.\u00a0\n\n",
  "id": "GHSA-p54x-grmr-9gw6",
  "modified": "2024-05-03T15:30:52Z",
  "published": "2024-05-03T15:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41821"
    },
    {
      "type": "WEB",
      "url": "https://en-us.support.motorola.com/app/answers/detail/a_id/178879"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P6MF-3J29-C4MM

Vulnerability from github – Published: 2025-07-21 21:31 – Updated: 2025-07-21 21:31
VLAI
Details

A vulnerability was found in Genshin Albedo Cat House App 1.0.2 on Android. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.house.auscat. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7940"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-21T21:15:27Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Genshin Albedo Cat House App 1.0.2 on Android. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.house.auscat. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-p6mf-3j29-c4mm",
  "modified": "2025-07-21T21:31:42Z",
  "published": "2025-07-21T21:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7940"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.house.auscat.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.house.auscat.md#video-proof-of-concept"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.317077"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.317077"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.619036"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PH47-HPX7-MGHQ

Vulnerability from github – Published: 2025-07-20 15:30 – Updated: 2025-07-20 15:30
VLAI
Details

A vulnerability was found in CallApp Caller ID App up to 2.0.4 on Android. It has been classified as problematic. Affected is an unknown function of the file AndroidManifest.xml of the component caller.id.phone.number.block. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-20T13:15:23Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in CallApp Caller ID App up to 2.0.4 on Android. It has been classified as problematic. Affected is an unknown function of the file AndroidManifest.xml of the component caller.id.phone.number.block. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-ph47-hpx7-mghq",
  "modified": "2025-07-20T15:30:27Z",
  "published": "2025-07-20T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/caller.id.phone.number.block.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/caller.id.phone.number.block.md#steps-to-reproduce"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.317004"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.317004"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.615250"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PW53-33FX-VF55

Vulnerability from github – Published: 2025-05-30 18:31 – Updated: 2025-10-03 09:30
VLAI
Details

An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.android.providers.settings.fingerprint.PriFpShareProvider“ content provider's public method query() allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code.

Vendor did not provide information about vulnerable versions. Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-497",
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-30T16:15:36Z",
    "severity": "MODERATE"
  },
  "details": "An\u00a0application \"com.pri.applock\", which is pre-loaded on\u00a0Kruger\u0026Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.\nExposed \u201dcom.android.providers.settings.fingerprint.PriFpShareProvider\u201c content provider\u0027s public method query() allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code.\n\nVendor did not provide information about vulnerable versions.\nOnly version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability",
  "id": "GHSA-pw53-33fx-vf55",
  "modified": "2025-10-03T09:30:19Z",
  "published": "2025-05-30T18:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13916"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2025/05/CVE-2024-13915"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PXQ2-RVHG-7CP9

Vulnerability from github – Published: 2025-07-17 15:32 – Updated: 2025-07-17 15:32
VLAI
Details

Bluebird devices contain a pre-loaded kiosk application. This application exposes an unsecured service provider "com.bluebird.kiosk.launcher.IpartnerKioskRemoteService". A local attacker can bind to the AIDL-type service to modify device's global settings and wallpaper image.

This issue affects all versions before 1.1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5344"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-17T13:15:23Z",
    "severity": "HIGH"
  },
  "details": "Bluebird devices contain a pre-loaded kiosk application. This application exposes an unsecured service provider \"com.bluebird.kiosk.launcher.IpartnerKioskRemoteService\". A local attacker can bind to the AIDL-type service to modify device\u0027s global settings and wallpaper image.\n\nThis issue affects all versions before 1.1.2.",
  "id": "GHSA-pxq2-rvhg-7cp9",
  "modified": "2025-07-17T15:32:14Z",
  "published": "2025-07-17T15:32:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5344"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2025/07/CVE-2025-5344"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q2QR-VVQ7-PH4V

Vulnerability from github – Published: 2025-08-03 15:30 – Updated: 2025-08-03 15:30
VLAI
Details

A vulnerability, which was classified as problematic, was found in Caixin News App 8.0.1 on Android. Affected is an unknown function of the file AndroidManifest.xml of the component com.caixin.news. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-03T15:15:38Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, was found in Caixin News App 8.0.1 on Android. Affected is an unknown function of the file AndroidManifest.xml of the component com.caixin.news. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-q2qr-vvq7-ph4v",
  "modified": "2025-08-03T15:30:26Z",
  "published": "2025-08-03T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8513"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KMov-g/androidapps/blob/main/com.caixin.news.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.318612"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.318612"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.619029"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q8P5-49QG-M9WX

Vulnerability from github – Published: 2025-02-03 18:30 – Updated: 2025-02-05 18:34
VLAI
Details

The com.enflick.android.TextNow (aka TextNow: Call + Text Unlimited) application 24.17.0.2 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.enflick.android.TextNow.activities.DialerActivity component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36437"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-926"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-03T18:15:33Z",
    "severity": "MODERATE"
  },
  "details": "The com.enflick.android.TextNow (aka TextNow: Call + Text Unlimited) application 24.17.0.2 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.enflick.android.TextNow.activities.DialerActivity component.",
  "id": "GHSA-q8p5-49qg-m9wx",
  "modified": "2025-02-05T18:34:44Z",
  "published": "2025-02-03T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36437"
    },
    {
      "type": "WEB",
      "url": "https://github.com/actuator/com.enflick.android.TextNow/blob/main/CVE-2024-36437"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=com.enflick.android.TextNow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Build and Compilation

Strategy: Attack Surface Reduction

If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.

Mitigation
Build and Compilation

Strategy: Attack Surface Reduction

If you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you.

Mitigation
Build and Compilation Architecture and Design

Strategy: Attack Surface Reduction

Limit Content Provider permissions (read/write) as appropriate.

Mitigation
Build and Compilation Architecture and Design

Strategy: Separation of Privilege

Limit Content Provider permissions (read/write) as appropriate.

No CAPEC attack patterns related to this CWE.