CVE Daily
← All tags

Tag: Android OS

All CVEs associated with "Android OS". Page 4/76 • 9114 CVEs.

Subscribe CVEs: RSS for “Android OS”  ·  RSS (High+Critical only)

About “Android OS”

A curated feed of “Android OS”-related CVEs appears below. We currently track 9114 CVEs for this tag (all time). In the last 365 days, 361 were published. Average CVSS is 6.8 (all time; 6.1 over 365d), and 49% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-926 - Improper Export of Android Application Components, CWE-451 - User Interface (UI) Misrepresentation of Critical Information, CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor.

In our taxonomy this topic maps to a MODERATE impact class. Issues here typically affect operating system packages or kernels. Plan reboots or service restarts and coordinate rollouts across fleets. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2025-06-04
Medium

CVE-2025-20991

Improper export of Android application components in Bluetooth prior to SMR Jun-2025 Release 1 allows local attackers to make devices discoverable.

CVSS: 4.0 CWE: N/A View on NVD
2025-05-30
High

CVE-2024-13917

An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.pri.ap…

CVSS: 8.3 CWE: CWE-926 - Improper Export of Android Application Components View on NVD
Medium

CVE-2024-13916

An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.androi…

CVSS: 6.9 CWE: CWE-926 - Improper Export of Android Application Components View on NVD
Medium

CVE-2024-13915

Android based smartphones from vendors such as Ulefone and Krüger&Matz contain "com.pri.factorytest" application preloaded onto devices during manufacturing process. The application "com.pri.factoryt…

CVSS: 6.9 CWE: CWE-926 - Improper Export of Android Application Components View on NVD
2025-05-29
High

CVE-2025-5334

Exposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager allows an authenticated user to gain unauthorized access to privat…

CVSS: 7.5 CWE: CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor View on NVD
2025-05-27
Medium

CVE-2025-5066

Inappropriate implementation in Messages in Google Chrome on Android prior to 137.0.7151.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via…

CVSS: 6.5 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
Medium

CVE-2025-4683

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
2025-05-25
Low

CVE-2025-5154

A vulnerability, which was classified as problematic, was found in PhonePe App 25.03.21.0 on Android. Affected is an unknown function of the file /data/data/com.phonepe.app/databases/ of the componen…

CVSS: 2.3 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2025-05-23
Critical

CVE-2025-5098

PrinterShare Android application allows the capture of Gmail authentication tokens that can be reused to access a user's Gmail account without proper authorization.

CVSS: 9.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2025-2394

Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure.

CVSS: 4.7 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2025-05-21
Medium

CVE-2021-25262

Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack.

CVSS: 5.4 CWE: CWE-116 - Improper Encoding or Escaping of Output View on NVD
High

CVE-2021-25255

Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2021-25254

Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar.

CVSS: 5.3 CWE: CWE-116 - Improper Encoding or Escaping of Output View on NVD
2025-05-20
High

CVE-2025-37928

In the Linux kernel, the following vulnerability has been resolved: dm-bufio: don't schedule in atomic context A BUG was reported as below when CONFIG_DEBUG_ATOMIC_SLEEP and try_verify_in_tasklet a…

CVSS: 7.8 CWE: N/A View on NVD
2025-05-14
Medium

CVE-2025-25370

An issue in realme GT 2 (RMX3311) running Android 14 with realme UI 5.0 allows a physically proximate attacker to obtain sensitive information via the show app only setting function.

CVSS: 4.6 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Low

CVE-2025-0135

An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on macOS devices enables a locally authenticated non administrative user to disable the app. The GlobalPr…

CVSS: 3.3 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2025-05-07
Medium

CVE-2025-20980

Out-of-bounds write in libsavscmn prior to Android 15 allows local attackers to cause memory corruption.

CVSS: 4.0 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2025-20979

Out-of-bounds write in libsavscmn prior to Android 15 allows local attackers to execute arbitrary code.

CVSS: 8.4 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2025-20975

Improper Export of Android Application Components in AODService prior to version 8.8.28.12 allows local attackers to launch arbitrary activity with systemui privilege.

CVSS: 5.5 CWE: N/A View on NVD
Medium

CVE-2025-20973

Improper authentication in Secure Folder prior to version 1.8.12.0 in Android 13, and 1.9.21.00 in Android 14 allows physical attackers to reset the lock type of Secure Folder.

CVSS: 5.4 CWE: N/A View on NVD
Medium

CVE-2025-20970

Improper access control in Bixby Vision prior to version 3.8.1 in Android 13, 3.8.3 in Android 14, 3.8.21 in Android 15 allows local attackers to access image files with Bixby Vision privilege.

CVSS: 6.2 CWE: N/A View on NVD
Medium

CVE-2025-20969

Improper input validation in Samsung Gallery prior to version 14.5.10.3 in Global Android 13, 14.5.09.3 in China Android 13, and 15.5.04.5 in Android 14 allows local attackers to access data within S…

CVSS: 5.5 CWE: N/A View on NVD
High

CVE-2025-20968

Improper access control in Samsung Gallery prior to version 14.5.10.3 in Global Android 13, 14.5.09.3 in China Android 13, and 15.5.04.5 in Android 14 allows remote attackers to access data and perfo…

CVSS: 7.2 CWE: N/A View on NVD
Medium

CVE-2025-20967

Improper access control in Samsung Gallery prior to version 14.5.10.3 in Global Android 13, 14.5.09.3 in China Android 13, and 15.5.04.5 in Android 14 allows attackers to read and write arbitrary fil…

CVSS: 5.1 CWE: N/A View on NVD
Medium

CVE-2025-20966

Improper access control in Samsung Gallery prior to version 14.5.10.3 in Global Android 13, 14.5.09.3 in China Android 13, and 15.5.04.5 in Android 14 allows physical attackers to access data across…

CVSS: 4.6 CWE: N/A View on NVD
Medium

CVE-2025-20956

Improper export of android application components in Settings in Galaxy Watch prior to SMR May-2025 Release 1 allows physical attackers to access developer settings.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2025-20955

Improper Export of Android Application Components in NotificationHistoryImageProvider prior to SMR May-2025 Release 1 allows local attackers to access notification images.

CVSS: 5.5 CWE: N/A View on NVD
2025-05-05
Medium

CVE-2025-46335

Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A Stored Cross-Site Scripting (XSS) vulnerability has been identified in…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-05-02
Medium

CVE-2025-3438

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack o…

CVSS: 6.5 CWE: CWE-269 - Improper Privilege Management View on NVD
2025-04-29
Medium

CVE-2025-4090

A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. This vulnerability was fixed in Firefox 138 and Thunderbird 138.

CVSS: 5.3 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Medium

CVE-2025-4086

A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. *This bug only affects Thunderbird for A…

CVSS: 6.5 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
2025-04-18
Low

CVE-2025-25983

An issue in Macro-video Technologies Co.,Ltd V380 Pro android application 2.1.44 and V380 Pro android application 2.1.64 allows an attacker to obtain sensitive information via the QE code based shari…

CVSS: 3.4 CWE: CWE-257 - Storing Passwords in a Recoverable Format View on NVD
Medium

CVE-2025-27599

Element X Android is a Matrix Android Client provided by element.io. Prior to version 25.04.2, a crafted hyperlink on a webpage, or a locally installed malicious app, can force Element X up to versio…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
2025-04-15
High

CVE-2024-36842

An issue in Oncord+ Android Infotainment Systems OS Android 12, Model Hardware TS17,Hardware part Number F57L_V3.2_20220301, and Build Number PlatformVER:K24-2023/05/09-v0.01 allows a remote attacker…

CVSS: 7.3 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2025-04-08
High

CVE-2025-29805

Exposure of sensitive information to an unauthorized actor in Outlook for Android allows an unauthorized attacker to disclose information over a network.

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-04-03
Medium

CVE-2025-31127

Element X Android is a Matrix Android Client provided by element.io. In Element X Android versions between 0.4.16 and 25.03.3, the entity in control of the element.json well-known file is able, under…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-04-02
High

CVE-2025-3068

Inappropriate implementation in Intents in Google Chrome on Android prior to 135.0.7049.52 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severi…

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2025-3067

Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege es…

CVSS: 8.8 CWE: N/A View on NVD
2025-04-01
Medium

CVE-2025-25041

A vulnerability in the HPE Aruba Networking Virtual Intranet Access (VIA) client could allow malicious users to overwrite arbitrary files as NT AUTHORITY\SYSTEM (root). A successful exploit could all…

CVSS: 5.5 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2025-03-24
Medium

CVE-2025-1558

Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a malic…

CVSS: 6.5 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
2025-03-20
High

CVE-2025-25758

An issue in KukuFM Android v1.12.7 (11207) allows attackers to access sensitive cleartext data via the android:allowBackup="true" in the ANdroidManifest.xml

CVSS: 7.5 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
Medium

CVE-2024-0245

A misconfiguration in the AndroidManifest.xml file in hamza417/inure before build97 allows for task hijacking. This vulnerability permits malicious applications to inherit permissions of the vulnerab…

CVSS: 5.5 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Low

CVE-2025-30259

The WhatsApp cloud service before late 2024 did not block certain crafted PDF content that can defeat a sandbox protection mechanism and consequently allow remote access to messaging applications by…

CVSS: 3.5 CWE: N/A View on NVD
2025-03-18
Critical

CVE-2025-30113

An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Hardcoded Credentials exist in the APK for Ports 9091 and 9092. The dashcam's Android application contains hardcoded credent…

CVSS: 9.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2025-03-17
Low

CVE-2025-2356

A vulnerability was found in BlackVue App 3.65 on Android. It has been classified as problematic. This affects the function deviceDelete of the component API Handler. The manipulation leads to use of…

CVSS: 3.7 CWE: CWE-598 - Use of HTTP Request With Sensitive Query String View on NVD
Low

CVE-2025-2355

A vulnerability was found in BlackVue App 3.65 on Android and classified as problematic. Affected by this issue is some unknown functionality of the component API Endpoint Handler. The manipulation o…

CVSS: 3.3 CWE: CWE-255 View on NVD
2025-03-16
Medium

CVE-2025-2342

A vulnerability classified as critical has been found in IROAD X5 Mobile App up to 5.2.5 on Android. Affected is an unknown function of the component API Endpoint. The manipulation leads to hard-code…

CVSS: 5.3 CWE: CWE-259 - Use of Hard-coded Password View on NVD
2025-03-14
Medium

CVE-2025-27606

Element Android is an Android Matrix Client provided by Element. Element Android up to version 1.6.32 can, under certain circumstances, fail to logout the user if they input the wrong PIN more than t…

CVSS: 5.1 CWE: CWE-488 - Exposure of Data Element to Wrong Session View on NVD
2025-03-12
High

CVE-2025-0117

A reliance on untrusted input for a security decision in the GlobalProtect app on Windows devices potentially enables a locally authenticated non-administrative Windows user to escalate their privile…

CVSS: 7.1 CWE: CWE-807 - Reliance on Untrusted Inputs in a Security Decision View on NVD
2025-03-08
Low

CVE-2025-27839

operations/attestation/AttestationTask.kt in the Tangem SDK before 5.18.3 for Android has a logic flow in offline wallet attestation (genuineness check) that causes verification results to be disrega…

CVSS: 3.2 CWE: CWE-1025 - Comparison Using Wrong Factors View on NVD
2025-03-06
Medium

CVE-2025-20926

Improper export of Android application components in My Files prior to version 15.0.07.5 in Android 14 allows local attackers to access files with My Files' privilege.

CVSS: 5.5 CWE: N/A View on NVD
2025-03-05
Medium

CVE-2025-1922

Inappropriate implementation in Selection in Google Chrome on Android prior to 134.0.6998.35 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing vi…

CVSS: 4.3 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
Medium

CVE-2025-1917

Inappropriate implementation in Browser UI in Google Chrome on Android prior to 134.0.6998.35 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Me…

CVSS: 4.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
2025-03-04
High

CVE-2025-1940

A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly. *This issue onl…

CVSS: 7.1 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
Low

CVE-2025-1939

Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding wha…

CVSS: 3.9 CWE: CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor View on NVD
2025-03-02
Low

CVE-2025-0895

IBM Cognos Analytics Mobile 1.1 for Android could allow a user with physical access to the device, to obtain sensitive information from debugging code log messages.

CVSS: 2.4 CWE: CWE-215 - Insertion of Sensitive Information Into Debugging Code View on NVD
2025-02-28
High

CVE-2025-20060

An attacker could expose cross-user personal identifiable information (PII) and personal health information transmitted to the Android device via the Dario Health application database.

CVSS: 7.5 CWE: CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor View on NVD
2025-02-27
Medium

CVE-2024-9285

A vulnerability was found in Tu Yafeng Via Browser up to 5.9.0 on Android. It has been rated as problematic. This issue affects some unknown processing of the component Javascript Bridge. The manipul…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-02-26
High

CVE-2024-50691

SunGrow iSolarCloud Android app V2.1.6.20241104 and prior suffers from Missing SSL Certificate Validation. The app explicitly ignores certificate errors and is vulnerable to MiTM attacks. Attackers c…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
Critical

CVE-2024-50688

SunGrow iSolarCloud Android application V2.1.6.20241017 and prior contains hardcoded credentials. The application (regardless of the user account) and the cloud uses the same MQTT credentials for exc…

CVSS: 9.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Medium

CVE-2024-50684

SunGrow iSolarCloud Android app V2.1.6.20241017 and prior uses an insecure AES key to encrypt client data (insufficient entropy). This may allow attackers to decrypt intercepted communications betwee…

CVSS: 6.5 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
2025-02-24
Low

CVE-2025-1629

A vulnerability was found in Excitel Broadband Private my Excitel App 3.13.0 on Android. It has been classified as problematic. Affected is an unknown function of the component One-Time Password Hand…

CVSS: 3.5 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
2025-02-21
Medium

CVE-2020-6158

Opera Mini for Android before version 52.2 is vulnerable to an address bar spoofing attack. The vulnerability allows a malicious page to trick the browser into showing an address of a different page.…

CVSS: 4.7 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2025-02-19
High

CVE-2025-1426

Heap buffer overflow in GPU in Google Chrome on Android prior to 133.0.6943.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity:…

CVSS: 8.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
2025-02-18
Low

CVE-2025-25300

smartbanner.js is a customizable smart app banner for iOS and Android. Prior to version 1.14.1, clicking on smartbanner `View` link and navigating to 3rd party page leaves `window.opener` exposed. It…

CVSS: 1.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-02-17
Medium

CVE-2025-26700

Authentication bypass using an alternate path or channel issue exists in ”RoboForm Password Manager" App for Android versions prior to 9.7.4, which may allow an attacker with access to a device where…

CVSS: 5.2 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2025-02-15
Medium

CVE-2025-0996

Inappropriate implementation in Browser UI in Google Chrome on Android prior to 133.0.6943.98 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromi…

CVSS: 5.4 CWE: CWE-1007 - Insufficient Visual Distinction of Homoglyphs Presented to User View on NVD
2025-02-13
Medium

CVE-2025-23421

An attacker could obtain firmware files and reverse engineer their intended use leading to loss of confidentiality and integrity of the hardware devices enabled by the Qardio iOS and Android applic…

CVSS: 6.4 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
2025-02-11
Medium

CVE-2024-54916

An issue in the SharedConfig class of Telegram Android APK v.11.7.0 allows a physically proximate attacker to bypass authentication and escalate privileges by manipulating the return value of the che…

CVSS: 6.8 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2024-44336

An issue in AnkiDroid Android Application v2.17.6 allows attackers to retrieve internal files from the /data/data/com.ichi2.anki/ directory and save it into publicly available storage.

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-02-10
High

CVE-2024-11621

Missing certificate validation in Devolutions Remote Desktop Manager on macOS, iOS, Android, Linux allows an attacker to intercept and modify encrypted communications via a man-in-the-middle attack.…

CVSS: 8.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-02-06
Medium

CVE-2025-21253

Microsoft Edge for IOS and Android Spoofing Vulnerability

CVSS: 5.3 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
2025-02-05
Medium

CVE-2025-24805

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. A local user with minimal privi…

CVSS: 5.5 CWE: CWE-269 - Improper Privilege Management View on NVD
Medium

CVE-2025-24804

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentat…

CVSS: 4.3 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
Medium

CVE-2025-24803

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentat…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-02-04
Medium

CVE-2025-20906

Improper Export of Android Application Components in Settings prior to SMR Feb-2025 Release 1 allows local attackers to enable ADB.

CVSS: 5.5 CWE: N/A View on NVD
Medium

CVE-2025-20899

Improper access control in PushNotification prior to version 13.0.00.15 in Android 12, 14.0.00.7 in Android 13, and 15.1.00.5 in Android 14 allows local attackers to access sensitive information.

CVSS: 4.0 CWE: N/A View on NVD
Medium

CVE-2025-20897

Improper access control in Secure Folder prior to version 1.9.20.50 in Android 14, 1.8.11.0 in Android 13, and 1.7.04.0 in Android 12 allows local attacker to access data in Secure Folder.

CVSS: 6.8 CWE: N/A View on NVD
2025-02-03
High

CVE-2024-34897

Nedis SmartLife android app v1.4.0 was discovered to contain an API key disclosure vulnerability.

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2024-36437

The com.enflick.android.TextNow (aka TextNow: Call + Text Unlimited) application 24.17.0.2 for Android enables any installed application (with no permissions) to place phone calls without user intera…

CVSS: 6.5 CWE: CWE-926 - Improper Export of Android Application Components View on NVD
2025-01-29
High

CVE-2024-54462

The file names constructed within image_picker are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document…

CVSS: 7.1 CWE: CWE-23 - Relative Path Traversal View on NVD
High

CVE-2024-54461

The file names constructed within file_selector are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious documen…

CVSS: 7.1 CWE: CWE-23 - Relative Path Traversal View on NVD
2025-01-19
Low

CVE-2025-0575

A vulnerability has been found in Union Bank of India Vyom 8.0.34 on Android and classified as problematic. This vulnerability affects unknown code of the component Rooting Detection. The manipulatio…

CVSS: 3.9 CWE: CWE-693 - Protection Mechanism Failure View on NVD
2025-01-15
Medium

CVE-2025-0435

Inappropriate implementation in Navigation in Google Chrome on Android prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Hi…

CVSS: 6.5 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
2025-01-07
Medium

CVE-2025-0246

When using an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* *Note: This issue…

CVSS: 6.5 CWE: N/A View on NVD
Medium

CVE-2025-0244

When redirecting to an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vul…

CVSS: 5.3 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Critical

CVE-2024-12402

The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. Thi…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2025-01-06
Medium

CVE-2024-53936

The com.asianmobile.callcolor (aka Color Phone Call Screen App) application through 24 for Android enables any application (with no permissions) to place phone calls without user interaction by sendi…

CVSS: 6.3 CWE: N/A View on NVD
Medium

CVE-2024-53935

The com.callos14.callscreen.colorphone (aka iCall OS17 - Color Phone Flash) application through 4.3 for Android enables any application (with no permissions) to place phone calls without user interac…

CVSS: 6.5 CWE: N/A View on NVD
High

CVE-2024-53934

The com.windymob.callscreen.ringtone.callcolor.colorphone (aka Color Phone Call Screen Themes) application through 1.1.2 for Android enables any application (with no permissions) to place phone calls…

CVSS: 7.7 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
Medium

CVE-2024-53933

The com.callerscreen.colorphone.themes.callflash (aka Color Call Theme & Call Screen) application through 1.0.7 for Android enables any application (with no permissions) to place phone calls without…

CVSS: 6.3 CWE: N/A View on NVD
Critical

CVE-2024-53932

The com.remi.colorphone.callscreen.calltheme.callerscreen (aka Color Phone: Call Screen Theme) application through 21.1.9 for Android enables any application (with no permissions) to place phone call…

CVSS: 9.1 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Critical

CVE-2024-53931

The com.glitter.caller.screen (aka iCaller, Caller Theme & Dialer) application through 1.1 for Android enables any application (with no permissions) to place phone calls without user interaction by s…

CVSS: 9.1 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2024-12-19
Critical

CVE-2023-4617

Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and…

CVSS: 10.0 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2021-39081

IBM Cognos Analytics Mobile for Android 1.1.14 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2024-12-17
Low

CVE-2024-54125

Improper authorization in handler for custom URL scheme issue in "Shonen Jump+" App for Android versions prior to 4.0.0 allows an attacker to lead a user to access an arbitrary website via the vulner…

CVSS: 3.3 CWE: CWE-939 - Improper Authorization in Handler for Custom URL Scheme View on NVD
2024-12-16
Medium

CVE-2024-11358

Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.

CVSS: 5.7 CWE: CWE-284 - Improper Access Control View on NVD
2024-12-13
Medium

CVE-2024-12420

The The WPMobile.App — Android and iOS Mobile Application plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 11.52. This is due to the software…

CVSS: 6.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2024-12042

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, an…

CVSS: 5.4 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-12-12
Critical

CVE-2024-55884

In the Mullvad VPN client 2024.6 (Desktop), 2024.8 (iOS), and 2024.8-beta1 (Android), the exception-handling alternate stack can be exhausted, leading to heap-based out-of-bounds writes in enable() i…

CVSS: 9.0 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2024-49057

Microsoft Defender for Endpoint on Android Spoofing Vulnerability

CVSS: 8.1 CWE: CWE-20 - Improper Input Validation View on NVD
2024-12-05
Low

CVE-2024-54014

Improper authorization in handler for custom URL scheme issue in 'Skylark' App for Android 6.2.13 and earlier and 'Skylark' App for iOS 6.2.13 and earlier allows an attacker to lead the application t…

CVSS: 3.6 CWE: CWE-939 - Improper Authorization in Handler for Custom URL Scheme View on NVD
2024-12-04
High

CVE-2024-37575

The Mister org.mistergroup.shouldianswer application 1.4.264 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted int…

CVSS: 7.5 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
High

CVE-2024-37574

The GriceMobile com.grice.call application 4.5.2 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the…

CVSS: 8.2 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Critical

CVE-2024-10576

Infinix devices contain a pre-loaded "com.transsion.agingfunction" application, that exposes an unsecured broadcast receiver. An attacker can communicate with the receiver and force the device to per…

CVSS: 9.4 CWE: CWE-925 - Improper Verification of Intent by Broadcast Receiver View on NVD
2024-12-03
Medium

CVE-2024-49421

Path traversal in Quick Share Agent prior to version 3.5.14.47 in Android 12, 3.5.19.41 in Android 13, and 3.5.19.42 in Android 14 allows adjacent attackers to write file in arbitrary location.

CVSS: 4.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-12-02
High

CVE-2018-9414

In gattServerSendResponseNative of com_android_bluetooth_gatt.cpp, there is a possible out of bounds stack write due to a missing bounds check. This could lead to local escalation of privilege with U…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
2024-11-29
Low

CVE-2024-53701

Multiple FCNT Android devices provide the original security features such as "privacy mode" where arbitrary applications can be set not to be displayed, etc. Under certain conditions, and when an at…

CVSS: 3.1 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2024-11-26
Medium

CVE-2024-11703

On Android, Firefox may have inadvertently allowed viewing saved passwords without the required device PIN authentication. This vulnerability affects Firefox < 133.

CVSS: 5.7 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
High

CVE-2024-11702

Copying sensitive information from Private Browsing tabs on Android, such as passwords, may have inadvertently stored data in the cloud-based clipboard history if enabled. This vulnerability affects…

CVSS: 7.5 CWE: CWE-838 - Inappropriate Encoding for Output Context View on NVD
2024-11-25
High

CVE-2024-53268

Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. In affected versions attackers are able to abuse the fact that openExterna…

CVSS: 7.2 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2024-11-22
Medium

CVE-2024-50657

An issue in Owncloud android apk v.4.3.1 allows a physically proximate attacker to escalate privileges via the PassCodeViewModel class, specifically in the checkPassCodeIsValid method

CVSS: 6.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2024-11-20
High

CVE-2024-10382

There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbit…

CVSS: 7.5 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Medium

CVE-2024-11179

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to SQL Injection via the 'status_type' parameter in all versions up to, and including, 4.15.7 due to…

CVSS: 6.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2024-52614

Use of hard-coded cryptographic key issue exists in "Kura Sushi Official App Produced by EPARK" for Android versions prior to 3.8.5. If this vulnerability is exploited, a local attacker may obtain th…

CVSS: 4.0 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2024-11-19
High

CVE-2018-9428

In startDevice of AAudioServiceStreamBase.cpp there is a possible out of bounds write due to a use after free. This could lead to local arbitrary code execution with no additional execution privilege…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
2024-11-11
High

CVE-2024-46966

The Ikhgur mn.ikhgur.khotoch (aka Video Downloader Pro & Browser) application through 1.0.42 for Android allows an attacker to execute arbitrary JavaScript code via the mn.ikhgur.khotoch.MainActivity…

CVSS: 8.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2024-46964

The com.video.downloader.all (aka All Video Downloader) application through 11.28 for Android allows an attacker to execute arbitrary JavaScript code via the com.video.downloader.all.StartActivity co…

CVSS: 8.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2024-46963

The com.superfast.video.downloader (aka Super Unlimited Video Downloader - All in One) application through 5.1.9 for Android allows an attacker to execute arbitrary JavaScript code via the com.bluesk…

CVSS: 8.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2024-46962

The SYQ com.downloader.video.fast (aka Master Video Downloader) application through 2.0 for Android allows an attacker to execute arbitrary JavaScript code via the com.downloader.video.fast.SpeedMain…

CVSS: 9.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD