CVE Daily
← All tags

Tag: Android OS

All CVEs associated with "Android OS". Page 2/76 • 9114 CVEs.

Subscribe CVEs: RSS for “Android OS”  ·  RSS (High+Critical only)

About “Android OS”

A curated feed of “Android OS”-related CVEs appears below. We currently track 9114 CVEs for this tag (all time). In the last 365 days, 361 were published. Average CVSS is 6.8 (all time; 6.1 over 365d), and 49% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-926 - Improper Export of Android Application Components, CWE-451 - User Interface (UI) Misrepresentation of Critical Information, CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor.

In our taxonomy this topic maps to a MODERATE impact class. Issues here typically affect operating system packages or kernels. Plan reboots or service restarts and coordinate rollouts across fleets. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-03-16
Medium

CVE-2026-4216

A weakness has been identified in i-SENS SmartLog App up to 2.6.8 on Android. This affects an unknown function of the component air.SmartLog.android. This manipulation causes hard-coded credentials.…

CVSS: 5.3 CWE: CWE-259 - Use of Hard-coded Password View on NVD
Medium

CVE-2026-20993

Improper export of android application components in Samsung Assistant prior to version 9.3.10.7 allows local attacker to access saved information.

CVSS: 5.5 CWE: N/A View on NVD
High

CVE-2026-20990

Improper export of android application components in Secure Folder prior to SMR Mar-2026 Release 1 allows local attackers to launch arbitrary activity with Secure Folder privilege.

CVSS: 8.1 CWE: N/A View on NVD
Medium

CVE-2026-0385

Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability

CVSS: 5.0 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
2026-03-12
Medium

CVE-2026-32251

Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenti…

CVSS: 6.5 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2026-03-11
Medium

CVE-2026-3937

Incorrect security UI in Downloads in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

CVSS: 6.5 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
High

CVE-2026-3936

Use after free in WebView in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Med…

CVSS: 8.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2026-3932

Insufficient policy enforcement in PDF in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security sever…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2026-3925

Incorrect security UI in LookalikeChecks in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medi…

CVSS: 4.3 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
Low

CVE-2026-0520

A potential vulnerability was reported in the Lenovo FileZ Android application that, under certain conditions, could allow a local authenticated user to retrieve some sensitive data stored in a log f…

CVSS: 2.8 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2026-03-10
High

CVE-2026-3845

Heap buffer overflow in the Audio/Video: Playback component in Firefox for Android. This vulnerability was fixed in Firefox 148.0.2.

CVSS: 8.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
Low

CVE-2026-21791

HCL Sametime for Android is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URL

CVSS: 3.3 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2026-03-05
Critical

CVE-2025-13476

Rakuten Viber Cloak mode in Android v25.7.2.0g and Windows v25.6.0.0–v25.8.1.0 uses a static and predictable TLS ClientHello fingerprint lacking extension diversity, allowing Deep Packet Inspection (…

CVSS: 9.8 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
High

CVE-2026-30798

Insufficient Verification of Data Authenticity, Improper Handling of Exceptional Conditions vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (He…

CVSS: 7.5 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
High

CVE-2026-30797

Missing Authorization vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, config import modules) allows Application AP…

CVSS: 8.1 CWE: CWE-749 - Exposed Dangerous Method or Function View on NVD
High

CVE-2026-30795

Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop modules) allows Sniffing A…

CVSS: 7.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2026-30794

Improper Certificate Validation vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (HTTP API client, TLS transport modules) allows Adversary in th…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
Critical

CVE-2026-30793

Cross-Site Request Forgery (CSRF) vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, FFI bridge modules) allows Privi…

CVSS: 9.8 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2026-30792

A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application…

CVSS: 8.1 CWE: CWE-657 - Violation of Secure Design Principles View on NVD
Critical

CVE-2026-30789

Authentication Bypass by Capture-replay, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, An…

CVSS: 9.8 CWE: CWE-294 - Authentication Bypass by Capture-replay View on NVD
Critical

CVE-2026-30783

A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abus…

CVSS: 9.8 CWE: CWE-602 - Client-Side Enforcement of Server-Side Security View on NVD
High

CVE-2026-30791

Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Config import, URI scheme handler,…

CVSS: 7.5 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2026-03-04
High

CVE-2026-3537

Object lifecycle issue in PowerVR in Google Chrome on Android prior to 145.0.7632.159 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security seve…

CVSS: 8.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2026-23233

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid mapping wrong physical block for swapfile Xiaolong Guo reported a f2fs bug in bugzilla [1] [1] https://bugzil…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
2026-03-03
Low

CVE-2026-3465

A vulnerability was determined in Tuya App and SDK 24.07.11 on Android. Affected by this vulnerability is an unknown functionality of the component JSON Data Point Handler. This manipulation of the a…

CVSS: 3.1 CWE: CWE-404 - Improper Resource Shutdown or Release View on NVD
Medium

CVE-2025-47147

Cleartext Storage of Sensitive Information (CWE-312) in the Command Centre Mobile Client on Android and iOS could allow an attacker with access to a logged-in Operator's mobile device to extract the…

CVSS: 5.7 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2026-02-26
Critical

CVE-2026-27510

Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote code execution due to missing integrity protectio…

CVSS: 9.6 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
Low

CVE-2026-26227

VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verificat…

CVSS: 3.7 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
Medium

CVE-2026-26228

VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is c…

CVSS: 4.9 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2026-24004

Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollme…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
2026-02-24
Critical

CVE-2026-2800

Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

CVSS: 9.8 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
High

CVE-2026-2794

Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 148.

CVSS: 7.5 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
2026-02-23
Low

CVE-2026-2974

A vulnerability was identified in AliasVault App up to 0.25.3 on Android/iOS. This vulnerability affects unknown code of the file shared_prefs/aliasvault.xml of the component Backup Handler. The mani…

CVSS: 2.5 CWE: CWE-285 - Improper Authorization View on NVD
2026-02-19
Medium

CVE-2026-26327

OpenClaw is a personal AI assistant. Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as `lanHost`, `tailnetDns`, `gatewayPort`, and `gatewayTlsSha256`. TXT records are unauthenti…

CVSS: 6.5 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2026-02-14
High

CVE-2026-23194

In the Linux kernel, the following vulnerability has been resolved: rust_binder: correctly handle FDA objects of length zero Fix a bug where an empty FDA (fd array) object with 0 fds would cause an…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2026-23128

In the Linux kernel, the following vulnerability has been resolved: arm64: Set __nocfi on swsusp_arch_resume() A DABT is reported[1] on an android based system when resume from hiberate. This happe…

CVSS: 5.5 CWE: N/A View on NVD
2026-02-13
Medium

CVE-2026-1578

HP App for Android is potentially vulnerable to cross-site scripting (XSS) when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vu…

CVSS: 5.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-02-12
High

CVE-2026-26214

Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpCl…

CVSS: 7.4 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
2026-02-05
Medium

CVE-2026-0391

User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.

CVSS: 6.5 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
2026-02-04
High

CVE-2026-20983

Improper export of android application components in Samsung Dialer prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Samsung Dialer privilege.

CVSS: 7.8 CWE: N/A View on NVD
2026-01-27
High

CVE-2026-24490

MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute…

CVSS: 8.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-01-20
Critical

CVE-2026-0906

Incorrect security UI in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity…

CVSS: 9.8 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
Medium

CVE-2026-0901

Inappropriate implementation in Blink in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)

CVSS: 5.4 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
2026-01-14
Medium

CVE-2026-22694

AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were valida…

CVSS: 6.1 CWE: CWE-346 - Origin Validation Error View on NVD
High

CVE-2025-14317

In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server does not verify the permissions req…

CVSS: 7.1 CWE: CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor View on NVD
2026-01-09
Low

CVE-2026-20972

Improper Export of Android Application Components in UwbTest prior to SMR Jan-2026 Release 1 allows local attackers to enable UWB.

CVSS: 3.3 CWE: N/A View on NVD
2026-01-07
Medium

CVE-2025-62224

User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an authorized attacker to perform spoofing over a network.

CVSS: 5.5 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
2025-12-31
High

CVE-2025-50053

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nebelhorn Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App yournewsapp…

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-12-29
Medium

CVE-2025-53627

Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the `pki_encrypted` fla…

CVSS: 5.3 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
2025-12-24
Unknown

CVE-2023-54157

In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of alloc->vma in race with munmap() [ cmllamas: clean forward port from commit 015ac18be7de ("binder: fix UAF o…

CVSS: N/A CWE: N/A View on NVD
Unknown

CVE-2022-50778

In the Linux kernel, the following vulnerability has been resolved: fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL With CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we ob…

CVSS: N/A CWE: N/A View on NVD
Low

CVE-2025-57840

ADB(Android Debug Bridge) is affected by type privilege bypass, successful exploitation of this vulnerability may affect service availability.

CVSS: 2.2 CWE: CWE-269 - Improper Privilege Management View on NVD
2025-12-19
High

CVE-2025-14809

ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web c…

CVSS: 7.4 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
2025-12-16
High

CVE-2025-14553

Exposure of password hashes through an unauthenticated API response in TP-Link Tapo app on iOS and Android for Tapo cameras, allowing attackers to brute force the password in the local network. Issue…

CVSS: 7.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-12-15
Medium

CVE-2025-65835

The Cordova plugin cordova-plugin-x-socialsharing (SocialSharing-PhoneGap-Plugin) for Android 6.0.4, registers an exported broadcast receiver nl.xservices.plugins.ShareChooserPendingIntent with an an…

CVSS: 6.2 CWE: CWE-476 - NULL Pointer Dereference View on NVD
Medium

CVE-2025-14020

LINE client for Android versions prior to 14.20 contains a UI spoofing vulnerability in the in-app browser where the full-screen security Toast notification is not properly re-displayed when users re…

CVSS: 5.4 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
Low

CVE-2025-14019

LINE client for Android versions from 13.8 to 15.5 is vulnerable to UI spoofing in the in-app browser where a specific layout could obscure the full-screen warning prompt, potentially allowing attack…

CVSS: 3.4 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
Medium

CVE-2025-14699

A security vulnerability has been detected in Municorn FAX App 3.27.0 on Android. This vulnerability affects unknown code of the component biz.faxapp.app. Such manipulation leads to path traversal. T…

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-14698

A weakness has been identified in atlaszz AI Photo Team Galleryit App 1.3.8.2 on Android. This affects an unknown part of the component gallery.photogallery.pictures.vault.album. This manipulation ca…

CVSS: 4.4 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-12-13
Medium

CVE-2025-14617

A vulnerability has been found in Jehovahs Witnesses JW Library App up to 15.5.1 on Android. Affected is an unknown function of the component org.jw.jwlibrary.mobile.activity.SiloContainer. Such mani…

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-12-12
Medium

CVE-2025-14373

Inappropriate implementation in Toolbar in Google Chrome on Android prior to 143.0.7499.110 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity:…

CVSS: 4.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
2025-12-11
Medium

CVE-2025-14517

A vulnerability was determined in Yalantis uCrop 2.2.11. This affects the function UCropActivity  of the file AndroidManifest.xml. Executing manipulation can lead to improper export of android applic…

CVSS: 5.3 CWE: CWE-926 - Improper Export of Android Application Components View on NVD
2025-12-10
Critical

CVE-2025-65820

An issue was discovered in Meatmeet Android Mobile Application 1.1.2.0. An exported activity can be spawned with the mobile application which opens a hidden page. This page, which is not available th…

CVSS: 9.8 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2025-63895

An issue in the Bluetooth firmware of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to cause a Denial of Service (DoS) via sending a crafted Link Manager Protocol (LMP) pack…

CVSS: 7.5 CWE: CWE-404 - Improper Resource Shutdown or Release View on NVD
2025-12-09
Low

CVE-2025-64696

Android App "Brother iPrint&Scan" versions 6.13.7 and earlier improperly uses an external cache directory. If exploited, application-specific files may be accessed from other malicious applications.

CVSS: 3.3 CWE: CWE-524 - Use of Cache Containing Sensitive Information View on NVD
2025-12-05
Medium

CVE-2025-14111

A security vulnerability has been detected in Rarlab RAR App up to 7.11 Build 127 on Android. This affects an unknown part of the component com.rarlab.rar. Such manipulation leads to path traversal.…

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-66270

The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.…

CVSS: 4.7 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2025-32900

In the KDE Connect information-exchange protocol before 2025-04-18, a packet can be crafted to temporarily change the displayed information about a device, because broadcast UDP is used. This affects…

CVSS: 4.3 CWE: CWE-348 - Use of Less Trusted Source View on NVD
Medium

CVE-2025-32901

In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash.

CVSS: 4.3 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
Medium

CVE-2025-32899

In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, it is an invalid discovery packet sent over broadcast UDP.

CVSS: 4.3 CWE: CWE-1250 - Improper Preservation of Consistency Between Independent Representations of Shared State View on NVD
Medium

CVE-2025-32898

The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.…

CVSS: 4.7 CWE: CWE-331 - Insufficient Entropy View on NVD
2025-12-04
High

CVE-2025-63896

An issue in the Bluetooth Human Interface Device (HID) of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to inject arbitrary keystrokes via a spoofed Bluetooth HID device.

CVSS: 7.6 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2025-12-03
High

CVE-2025-12385

Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 3…

CVSS: 8.7 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2025-12-02
Medium

CVE-2025-13876

A security vulnerability has been detected in Rareprob HD Video Player All Formats App 12.1.372 on Android. Impacted is an unknown function of the component com.rocks.music.videoplayer. The manipulat…

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2025-10971

Insecure Storage of Sensitive Information vulnerability in MeetMe on iOS, Android allows Retrieve Embedded Sensitive Data. This issue affects MeetMe: through v2.2.5.

CVSS: 8.8 CWE: CWE-922 - Insecure Storage of Sensitive Information View on NVD
Medium

CVE-2025-58483

Improper export of android application components in Galaxy Store for Galaxy Watch prior to version 1.0.06.29 allows local attacker to install arbitrary application on Galaxy Store.

CVSS: 5.9 CWE: N/A View on NVD
Medium

CVE-2025-21080

Improper export of android application components in Dynamic Lockscreen prior to SMR Dec-2025 Release 1 allows local attackers to access files with Dynamic Lockscreen's privilege.

CVSS: 6.2 CWE: N/A View on NVD
2025-11-24
High

CVE-2025-56400

Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2025-63435

Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not requ…

CVSS: 4.3 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2025-63434

The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The application downloads and extracts update packages containing executable code without performing…

CVSS: 8.8 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
Medium

CVE-2025-63433

Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code.…

CVSS: 4.6 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Medium

CVE-2025-63432

Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The application fails to properly validate the TLS certificate from its update server. An attacker…

CVSS: 4.6 CWE: CWE-599 - Missing Validation of OpenSSL Certificate View on NVD
2025-11-14
Medium

CVE-2025-13102

Inappropriate implementation in WebApp Installs in Google Chrome on Android prior to 134.0.6998.35 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severit…

CVSS: 4.3 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
Medium

CVE-2024-11919

Inappropriate implementation in Intents in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

CVSS: 4.3 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
2025-11-13
High

CVE-2025-64741

Improper authorization handling in Zoom Workplace for Android before version 6.5.10 may allow an unauthenticated user to conduct an escalation of privilege via network access.

CVSS: 8.1 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2025-11-12
Critical

CVE-2025-63289

Sogexia Android App Compile Affected SDK v35, Max SDK 32 and fixed in v36, was discovered to contain hardcoded encryption keys in the encryption_helper.dart file

CVSS: 9.1 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2025-11-11
Medium

CVE-2025-60722

Improper limitation of a pathname to a restricted directory ('path traversal') in OneDrive for Android allows an authorized attacker to elevate privileges over a network.

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-11-10
Medium

CVE-2025-12729

Inappropriate implementation in Omnibox in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via…

CVSS: 4.2 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
Medium

CVE-2025-12728

Inappropriate implementation in Omnibox in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via…

CVSS: 4.2 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
High

CVE-2025-12725

Out of bounds read in WebGPU in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severit…

CVSS: 8.8 CWE: CWE-125 - Out-of-bounds Read View on NVD
Medium

CVE-2025-12447

Incorrect security UI in Omnibox in Google Chrome on Android prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a craft…

CVSS: 4.2 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2025-12435

Incorrect security UI in Omnibox in Google Chrome on Android prior to 142.0.7444.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

CVSS: 5.4 CWE: CWE-285 - Improper Authorization View on NVD
2025-11-08
Medium

CVE-2025-12908

Insufficient validation of untrusted input in Downloads in Google Chrome on Android prior to 140.0.7339.80 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium secu…

CVSS: 5.4 CWE: CWE-20 - Improper Input Validation View on NVD
2025-11-06
Medium

CVE-2025-11213

Inappropriate implementation in Omnibox in Google Chrome on Android prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing…

CVSS: 6.3 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
High

CVE-2025-11209

Inappropriate implementation in Omnibox in Google Chrome on Android prior to 141.0.7390.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium…

CVSS: 8.2 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Critical

CVE-2025-27918

An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. It has…

CVSS: 9.8 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
High

CVE-2025-27917

An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. Remote…

CVSS: 7.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
High

CVE-2025-27916

An issue was discovered in AnyDesk for Windows before 9.0.6 and AnyDesk for Android before 8.0.0. When the connection between two clients is established via an IP address, it is possible to manipulat…

CVSS: 7.5 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2025-10-30
High

CVE-2025-61121

Mobile Scanner Android App version 2.12.38 (package name com.glority.everlens), developed by Glority Global Group Ltd., contains a credential leakage vulnerability. Improper handling of cloud service…

CVSS: 7.5 CWE: CWE-523 - Unprotected Transport of Credentials View on NVD
High

CVE-2025-61120

AG Life Logger Android App version v1.0.2.72 and before (package name com.donki.healthy), developed by IO FIT, K.K., contains improper access control vulnerabilities. Exposed credentials in traffic m…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2025-61119

Kanova Android App version 1.0.27 (package name com.karelane), developed by Karely L.L.C., contains improper access control vulnerabilities. Attackers may gain unauthorized access to user details and…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2025-61114

2nd Line Android App version v1.2.92 and before (package name com.mysecondline.app), developed by AutoBizLine, Inc., contains an improper access control vulnerability in its authentication mechanism.…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2025-61117

Senza: Keto & Fasting Android App version 2.10.15 (package name com.gl.senza), developed by Paul Itoi, contains an improper access control vulnerability. By exploiting insufficient checks in user dat…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2025-61116

AdForest - Classified Android App version 4.0.12 (package name scriptsbundle.adforest), developed by Muhammad Jawad Arshad, contains an improper access control vulnerability in its authentication mec…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2025-61115

ABC Fine Wine & Spirits Android App version v.11.27.5 and before (package name com.cta.abcfinewineandspirits), developed by ABC Liquors, Inc., contains an improper access control vulnerability in its…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2025-61113

TalkTalk 3.3.6 Android App contains improper access control vulnerabilities in multiple API endpoints. By modifying request parameters, attackers may obtain sensitive user information (such as device…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
2025-10-27
High

CVE-2025-61482

Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into…

CVSS: 7.2 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2025-12080

On Wear OS devices, when Google Messages is configured as the default SMS/MMS/RCS application, the handling of ACTION_SENDTO intents utilizing the sms:, smsto:, mms:, and mmsto: Uniform Resource Iden…

CVSS: 6.9 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2025-10-14
High

CVE-2025-11720

The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have bee…

CVSS: 8.1 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
Medium

CVE-2025-11718

When the address bar was hidden due to scrolling on Android, a malicious page could create a fake address bar to fool the user in response to a visibilitychange event. This vulnerability was fixed in…

CVSS: 6.5 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
Critical

CVE-2025-11717

When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the passwor…

CVSS: 9.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2025-11716

Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability was fixed in Firefox 144 and Thunderbird 144.

CVSS: 6.5 CWE: CWE-284 - Improper Access Control View on NVD
2025-10-12
Low

CVE-2025-11645

A security vulnerability has been detected in Tomofun Furbo Mobile App up to 7.57.0a on Android. This affects an unknown part of the component Authentication Token Handler. The manipulation leads to…

CVSS: 2.4 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-10-10
Medium

CVE-2025-21063

Improper access control in Samsung Voice Recorder prior to version 21.5.73.12 in Android 15 and 21.5.81.40 in Android 16 allows physical attackers to access recording files on the lock screen.

CVSS: 4.6 CWE: N/A View on NVD
High

CVE-2025-21058

Improper access control in Routines prior to version 4.8.7.1 in Android 15 and 4.9.6.0 in Android 16 allows local attackers to potentially execute arbitrary code with SystemUI privilege.

CVSS: 7.3 CWE: N/A View on NVD
2025-10-07
High

CVE-2025-34251

Tesla Telematics Control Unit (TCU) firmware prior to v2025.14 contains an authentication bypass vulnerability. The TCU runs the Android Debug Bridge (adbd) as root and, despite a “lockdown” check th…

CVSS: 8.6 CWE: CWE-269 - Improper Privilege Management View on NVD
2025-10-03
Medium

CVE-2025-55971

TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) vulnerability via t…

CVSS: 4.7 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
High

CVE-2025-59489

Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built wit…

CVSS: 7.4 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
High

CVE-2025-9200

The Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App plugin for WordPress is vulnerable to SQL Injection via the nh_ynaa_comments() function in all versions up to, and incl…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2025-10-02
Critical

CVE-2025-59407

The Flock Safety DetectionProcessing com.flocksafety.android.objects application 6.35.33 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) bundles…

CVSS: 9.8 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD