CVE Daily
← All tags

Tag: Android OS

All CVEs associated with "Android OS". Page 1/76 • 9114 CVEs.

About “Android OS”

A curated feed of “Android OS”-related CVEs appears below. We currently track 9114 CVEs for this tag (all time). In the last 365 days, 361 were published. Average CVSS is 6.8 (all time; 6.1 over 365d), and 49% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-926 - Improper Export of Android Application Components, CWE-451 - User Interface (UI) Misrepresentation of Critical Information, CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor.

In our taxonomy this topic maps to a MODERATE impact class. Issues here typically affect operating system packages or kernels. Plan reboots or service restarts and coordinate rollouts across fleets. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: android

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
16--
15--
14--
13- Expired
12.1- Expired
12- Expired
11- Expired
10- Expired
9- Expired
8.1- Expired
8.0- Expired
7.1- Expired
7.0- Expired
6.0- Expired
5.1- Expired
5.0- Expired
4.4w- Expired
4.4- Expired
4.3-- Expired
4.2-- Expired
4.1-- Expired
4.0-- Expired
3.2-- Expired
3.1-- Expired
3.0-- Expired
2.3-- Expired
2.2-- Expired
2.1-- Expired
2.0-- Expired
1.6-- Expired
1.5-- Expired
1.1-- Expired
1.0-- Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Android OS”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-06-02
Medium

CVE-2026-10510

Cross-Site Scripting (XSS) in GeniexWebView component in Transsion AI Assistant Lifestyle application (com.transsion.aiassistantlifestyle) all versions on Android allows remote attacker to execute ar…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-06-01
High

CVE-2026-0072

In addInputMethodListener of com.android.server.inputmethod.InputMethodManagerService, there is a missing permission check. This could lead to local escalation of privilege with no additional executi…

CVSS: 7.8 CWE: CWE-285 - Improper Authorization View on NVD
Medium

CVE-2026-45153

Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud…

CVSS: 4.6 CWE: CWE-287 - Improper Authentication View on NVD
2026-05-29
High

CVE-2026-44698

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and…

CVSS: 8.3 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2026-05-28
High

CVE-2026-9987

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 148.0.7778.216 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium sec…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2026-9977

Insufficient validation of untrusted input in WebShare in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a…

CVSS: 8.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2026-9943

Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

CVSS: 4.3 CWE: CWE-125 - Out-of-bounds Read View on NVD
Medium

CVE-2026-9929

Inappropriate implementation in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Hig…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2026-9921

Uninitialized Use in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin information via a crafted HTML page. (Chromium security severity: High)

CVSS: 4.3 CWE: CWE-457 - Use of Uninitialized Variable View on NVD
Low

CVE-2026-9920

Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chr…

CVSS: 3.1 CWE: CWE-457 - Use of Uninitialized Variable View on NVD
Medium

CVE-2026-9919

Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

CVSS: 4.3 CWE: CWE-125 - Out-of-bounds Read View on NVD
Medium

CVE-2026-9917

Uninitialized Use in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chro…

CVSS: 6.5 CWE: CWE-457 - Use of Uninitialized Variable View on NVD
Medium

CVE-2026-9912

Inappropriate implementation in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML pa…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2026-9898

Insufficient validation of untrusted input in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandb…

CVSS: 8.3 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2026-9892

Inappropriate implementation in Skia in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via…

CVSS: 8.3 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2026-9889

Out of bounds read and write in Dawn in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security…

CVSS: 8.3 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2026-9888

Use after free in WebView in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted…

CVSS: 8.3 CWE: CWE-416 - Use After Free View on NVD
Critical

CVE-2026-9876

Use after free in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Cri…

CVSS: 9.6 CWE: CWE-416 - Use After Free View on NVD
Critical

CVE-2026-9875

Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity:…

CVSS: 9.6 CWE: CWE-125 - Out-of-bounds Read View on NVD
Critical

CVE-2026-9872

Out of bounds write in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity:…

CVSS: 9.6 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2026-10020

Insufficient validation of untrusted input in Skia in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sand…

CVSS: 8.3 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2026-10014

Use after free in WebMIDI in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted…

CVSS: 8.3 CWE: CWE-416 - Use After Free View on NVD
Medium

CVE-2026-10010

Inappropriate implementation in Input in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTM…

CVSS: 5.0 CWE: CWE-346 - Origin Validation Error View on NVD
Medium

CVE-2026-10008

Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromi…

CVSS: 6.5 CWE: CWE-457 - Use of Uninitialized Variable View on NVD
2026-05-27
Medium

CVE-2025-68712

SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android's biometric mec…

CVSS: 5.5 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2026-42184

Tauri is a framework for building binaries for all major desktop platforms. From 2.0 to 2.11.0, a flaw in Tauri's is_local_url() function causes it to incorrectly classify remote URLs as trusted loca…

CVSS: 8.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2026-05-26
Low

CVE-2025-68711

AppLockZ App Lock and Fingerprint Lock (applock.passwordfingerprint.applockz) 4.2.11 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an ove…

CVSS: 2.4 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Low

CVE-2025-68708

SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's…

CVSS: 2.4 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Low

CVE-2025-68710

Easyelife App lock (aka Fingerprint,Applock or locker.app.safe.applocker) 1.9.2 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay…

CVSS: 2.4 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Medium

CVE-2025-68709

SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker to trigger arbitrary JavaScript execution via BrowserMainActivity, which accepts VIEW intents with javascript: URI…

CVSS: 5.2 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-05-20
Low

CVE-2026-47782

Android App "RoboForm Password Manager" provided by Siber Systems, Inc. handles Android intents without sufficient URL validation, user confirmation nor notification. If a URL to some malicious web p…

CVSS: 3.3 CWE: CWE-357 - Insufficient UI Warning of Dangerous Operations View on NVD
High

CVE-2026-9123

Heap buffer overflow in Chromecast in Google Chrome on Android, Linux, ChromeOS prior to 148.0.7778.179 allowed a local attacker to execute arbitrary code inside a sandbox via malicious network traff…

CVSS: 7.5 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
2026-05-19
Medium

CVE-2026-8951

Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.

CVSS: 6.5 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
High

CVE-2026-8945

Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151.

CVSS: 7.5 CWE: CWE-693 - Protection Mechanism Failure View on NVD
2026-05-14
Medium

CVE-2026-8583

Insufficient policy enforcement in WebXR in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive informa…

CVSS: 5.3 CWE: CWE-693 - Protection Mechanism Failure View on NVD
Low

CVE-2026-8572

Insufficient policy enforcement in Network in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a craft…

CVSS: 3.1 CWE: CWE-693 - Protection Mechanism Failure View on NVD
High

CVE-2026-8571

Insufficient policy enforcement in GPU in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape v…

CVSS: 8.3 CWE: CWE-693 - Protection Mechanism Failure View on NVD
Medium

CVE-2026-8566

Insufficient policy enforcement in Payments in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium sec…

CVSS: 4.3 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2026-8564

Incorrect security UI in Downloads in Google Chrome on Android and Mac prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: M…

CVSS: 4.2 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
Medium

CVE-2026-8552

Heap buffer overflow in GPU in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity…

CVSS: 4.3 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
Medium

CVE-2026-8539

Script injection in SanitizerAPI in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security s…

CVSS: 5.4 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2026-8513

Use after free in Input in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HT…

CVSS: 8.3 CWE: CWE-416 - Use After Free View on NVD
Medium

CVE-2026-41281

Android App "あんしんフィルター for au" provided by KDDI CORPORATION contains Cleartext Transmission of Sensitive Information (CWE-319) vulnerability. A man-in-the-middle attacker may access and modify commun…

CVSS: 4.8 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2026-05-13
Medium

CVE-2026-0251

Multiple local privilege escalation vulnerabilities in the Palo Alto Networks GlobalProtect™ app allow a local user to escalate their privileges to NT AUTHORITY\SYSTEM on Windows and root on macOS an…

CVSS: 5.9 CWE: CWE-426 - Untrusted Search Path View on NVD
Medium

CVE-2026-0248

An improper certificate validation vulnerability in the Prisma Access Agent® for Android and Chrome OS enables an attacker to perform a man-in-the-middle (MitM) attack to intercept VPN traffic. By pr…

CVSS: 6.2 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2026-0246

A vulnerability with a privilege management mechanism in the Palo Alto Networks Prisma Access Agent® enables a locally authenticated non-administrative user to escalate their privileges to root on ma…

CVSS: 5.9 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2026-0245

Multiple information disclosure vulnerabilities in Prisma Access Agent® allow a local user to access sensitive configuration data and credentials. The Prisma Access Agent on Linux, ChromeOS, Andro…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Unknown

CVE-2026-43488

In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Prevent interrupt storm on host controller error (HCE) The xHCI controller reports a Host Controller Error (HCE) in UA…

CVSS: N/A CWE: N/A View on NVD
High

CVE-2026-21020

Improper export of android application components in OmaCP prior to SMR May-2026 Release 1 allows local attackers to trigger privileged functions.

CVSS: 7.8 CWE: N/A View on NVD
2026-05-12
Medium

CVE-2026-44279

A improper export of android application components vulnerability in Fortinet FortiTokenAndroid 6.2 all versions, FortiTokenAndroid 6.1 all versions, FortiTokenAndroid 5.2 all versions may allow atta…

CVSS: 5.5 CWE: CWE-926 - Improper Export of Android Application Components View on NVD
2026-05-11
High

CVE-2026-33362

In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded an…

CVSS: 8.6 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2026-05-08
Medium

CVE-2026-43439

In the Linux kernel, the following vulnerability has been resolved: cgroup: fix race between task migration and iteration When a task is migrated out of a css_set, cgroup_migrate_add_task() first m…

CVSS: 4.7 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2026-05-07
Critical

CVE-2026-30496

The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports bot…

CVSS: 9.8 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2026-30495

The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes Android Debug Bridge (ADB) on TCP port 5555 over the network without requiring authentication. The device is con…

CVSS: 8.8 CWE: CWE-285 - Improper Authorization View on NVD
2026-05-06
Medium

CVE-2026-3291

Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate…

CVSS: 5.5 CWE: CWE-926 - Improper Export of Android Application Components View on NVD
Medium

CVE-2026-8020

Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process…

CVSS: 5.3 CWE: CWE-457 - Use of Uninitialized Variable View on NVD
Medium

CVE-2026-7993

Insufficient validation of untrusted input in Payments in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to spoof the contents of t…

CVSS: 4.2 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2026-7941

Insufficient validation of untrusted input in Mobile in Google Chrome on Android prior to 148.0.7778.96 allowed a local attacker to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extens…

CVSS: 4.4 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2026-7915

Insufficient data validation in DevTools in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security sev…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2026-7913

Insufficient policy enforcement in DevTools in Google Chrome on Android prior to 148.0.7778.96 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severi…

CVSS: 7.8 CWE: CWE-693 - Protection Mechanism Failure View on NVD
Medium

CVE-2026-7912

Integer overflow in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page.…

CVSS: 4.2 CWE: CWE-472 - External Control of Assumed-Immutable Web Parameter View on NVD
High

CVE-2026-7905

Insufficient validation of untrusted input in Media in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sand…

CVSS: 8.3 CWE: CWE-20 - Improper Input Validation View on NVD
2026-05-04
Critical

CVE-2026-42090

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in th…

CVSS: 9.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-05-03
Low

CVE-2026-7671

A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restr…

CVSS: 3.7 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
2026-05-02
Medium

CVE-2026-7638

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 5.6.0. This is due to miss…

CVSS: 5.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2026-05-01
Medium

CVE-2026-23866

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigg…

CVSS: 4.3 CWE: CWE-940 - Improper Verification of Source of a Communication Channel View on NVD
2026-04-28
High

CVE-2026-7352

Use after free in Media in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HT…

CVSS: 8.3 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2026-7342

Use after free in WebView in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity…

CVSS: 8.8 CWE: CWE-416 - Use After Free View on NVD
2026-04-23
Critical

CVE-2026-6920

Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted…

CVSS: 9.6 CWE: CWE-125 - Out-of-bounds Read View on NVD
2026-04-21
High

CVE-2026-6756

Mitigation bypass in Firefox for Android. This vulnerability was fixed in Firefox 150.

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2026-39973

Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciously crafte…

CVSS: 7.1 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2026-39866

Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code…

CVSS: 8.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2026-04-17
High

CVE-2026-21733

Vulnerability in Imagination Technologies Graphics DDK on Linux, Android --  RESERVED

CVSS: 7.3 CWE: CWE-20 - Improper Input Validation View on NVD
2026-04-15
High

CVE-2026-6358

Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Critic…

CVSS: 8.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2026-6319

Use after free in Payments in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted…

CVSS: 7.5 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2026-6315

Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a craf…

CVSS: 8.8 CWE: CWE-416 - Use After Free View on NVD
2026-04-10
High

CVE-2026-35643

OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execut…

CVSS: 8.8 CWE: CWE-940 - Improper Verification of Source of a Communication Channel View on NVD
High

CVE-2026-5777

This vulnerability exists in the Atom 3x Projector due to improper exposure of the Android Debug Bridge (ADB) service over the local network without authentication or access controls. An unauthentica…

CVSS: 8.7 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2026-04-08
Medium

CVE-2026-5906

Incorrect security UI in Omnibox in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium securit…

CVSS: 4.3 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
Critical

CVE-2026-5902

Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium…

CVSS: 9.8 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2026-40027

ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.py artifact parser that uses attacker-controlled file_name_from values from a da…

CVSS: 7.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2026-04-07
Critical

CVE-2025-69515

An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to force the infotainment system into accepting falsified GPS signals as legitimate, resulting in the device report…

CVSS: 9.1 CWE: CWE-941 - Incorrectly Specified Destination in a Communication Channel View on NVD
2026-04-06
High

CVE-2026-35394

Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any s…

CVSS: 8.3 CWE: CWE-939 - Improper Authorization in Handler for Custom URL Scheme View on NVD
Low

CVE-2026-5682

A vulnerability has been found in Meesho Online Shopping App up to 27.3 on Android. Affected is an unknown function of the file /api/endpoint of the component com.meesho.supply. Such manipulation lea…

CVSS: 3.7 CWE: CWE-310 View on NVD
2026-04-03
Low

CVE-2026-5471

A vulnerability was detected in Investory Toy Planet Trouble App up to 1.5.5 on Android. Impacted is an unknown function of the file assets/google-services-desktop.json of the component app.investory…

CVSS: 3.3 CWE: CWE-320 View on NVD
Low

CVE-2026-5462

A vulnerability was identified in Wahoo Fitness SYSTM App up to 7.2.1 on Android. Impacted is an unknown function of the file com/WahooFitness/SYSTM/BuildConfig.java of the component com.WahooFitness…

CVSS: 3.3 CWE: CWE-320 View on NVD
Low

CVE-2026-5458

A weakness has been identified in Noelse Individuals & Pro App up to 2.1.7 on Android. This impacts an unknown function of the file com/reactnative/antelop/BuildConfig.java of the component com.afone…

CVSS: 3.3 CWE: CWE-320 View on NVD
Low

CVE-2026-5457

A security flaw has been discovered in PropertyGuru AgentNet Singapore App up to 23.7.10 on Android. This affects an unknown function of the file com/allproperty/android/agentnet/BuildConfig.java of…

CVSS: 3.3 CWE: CWE-320 View on NVD
Low

CVE-2026-5456

A vulnerability was identified in Align Technology My Invisalign App 3.12.4 on Android. The impacted element is an unknown function of the file com/aligntech/myinvisalign/BuildConfig.java of the comp…

CVSS: 3.3 CWE: CWE-320 View on NVD
Low

CVE-2026-5455

A vulnerability was determined in Dialogue App up to 4.3.2 on Android. The affected element is an unknown function of the file file res/raw/config.json of the component ca.diagram.dialogue. Executing…

CVSS: 3.3 CWE: CWE-320 View on NVD
Low

CVE-2026-5454

A vulnerability was found in GRID Organiser App up to 1.0.5 on Android. Impacted is an unknown function of the file file res/raw/app.json of the component co.gridapp.organiser. Performing a manipulat…

CVSS: 3.3 CWE: CWE-320 View on NVD
Low

CVE-2026-5453

A vulnerability has been found in Rico só vantagem pra investir App up to 4.58.32.12421 on Android. This issue affects some unknown processing of the file br/com/rico/mobile/di/SegmentSettingsModule.…

CVSS: 3.3 CWE: CWE-320 View on NVD
Low

CVE-2026-5452

A flaw has been found in UCC CampusConnect App up to 14.3.5 on Android. This vulnerability affects unknown code of the file campusconnect/BuildConfig.java of the component campusconnect.ucc. This man…

CVSS: 3.3 CWE: CWE-320 View on NVD
2026-04-02
High

CVE-2026-0634

Code execution in AssistFeedbackService of TECNO Pova7 Pro 5G on Android allows local apps to execute arbitrary code as system via command injection.

CVSS: 7.8 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
2026-04-01
Medium

CVE-2026-33978

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip m…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2026-5288

Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted…

CVSS: 9.6 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2026-5278

Use after free in Web MIDI in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

CVSS: 8.8 CWE: CWE-416 - Use After Free View on NVD
2026-03-29
Medium

CVE-2026-23400

In the Linux kernel, the following vulnerability has been resolved: rust_binder: call set_notification_done() without proc lock Consider the following sequence of events on a death listener: 1. The…

CVSS: 5.5 CWE: CWE-667 - Improper Locking View on NVD
2026-03-27
Critical

CVE-2026-33976

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the deskt…

CVSS: 9.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-33045

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobil…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-03-24
High

CVE-2026-4756

Out-of-bounds Write vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
Critical

CVE-2026-4755

CWE-20 vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2026-4754

CWE-79 vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2026-33852

Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.

CVSS: 7.5 CWE: CWE-401 - Missing Release of Memory after Effective Lifetime View on NVD
High

CVE-2026-33856

Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.

CVSS: 7.5 CWE: CWE-401 - Missing Release of Memory after Effective Lifetime View on NVD
Medium

CVE-2026-33855

Integer Overflow or Wraparound vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.

CVSS: 5.5 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
High

CVE-2026-33854

Out-of-bounds Write vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-10.

CVSS: 8.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2026-33853

NULL Pointer Dereference vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-10.

CVSS: 5.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2026-03-22
High

CVE-2019-25605

EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use…

CVSS: 7.5 CWE: CWE-612 - Improper Authorization of Index Containing Sensitive Information View on NVD
2026-03-21
Medium

CVE-2026-2375

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_ro…

CVSS: 6.5 CWE: CWE-269 - Improper Privilege Management View on NVD
2026-03-20
High

CVE-2026-2378

ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web c…

CVSS: 7.4 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
High

CVE-2026-32317

Cryptomator for Android offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 1.12.3, an integrity check vulnerability allows an attacker tamper with the v…

CVSS: 7.6 CWE: CWE-346 - Origin Validation Error View on NVD
High

CVE-2026-4439

Out of bounds memory access in WebGL in Google Chrome on Android prior to 146.0.7680.153 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security…

CVSS: 8.8 CWE: CWE-125 - Out-of-bounds Read View on NVD
2026-03-16
Low

CVE-2026-4251

A vulnerability was determined in CityData CityChat up to 0.12.6 on Android. Affected by this vulnerability is an unknown functionality of the file resources/assets/flutter_assets/assets/credentials.…

CVSS: 2.5 CWE: CWE-255 View on NVD
Low

CVE-2026-4250

A vulnerability was found in Albert Sağlık Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the compone…

CVSS: 2.5 CWE: CWE-255 View on NVD
Low

CVE-2026-4243

A weakness has been identified in La Nacion App 10.2.25 on Android. This impacts an unknown function of the file source/app/lanacion/clublanacion/BuildConfig.java of the component app.lanacion.activi…

CVSS: 2.5 CWE: CWE-255 View on NVD
Low

CVE-2026-4242

A security flaw has been discovered in BabyChakra Pregnancy & Parenting App up to 5.4.3.0 on Android. This affects an unknown function of the file file app/babychakra/babychakra/Configuration.java of…

CVSS: 2.5 CWE: CWE-255 View on NVD
Low

CVE-2026-4219

A flaw has been found in INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android. Affected by this vulnerability is an unknown functionality of the file com/index/event…

CVSS: 3.3 CWE: CWE-259 - Use of Hard-coded Password View on NVD
Low

CVE-2026-4218

A vulnerability was detected in myAEDES App up to 1.18.4 on Android. Affected is an unknown function of the file aedes/me/beta/utils/EngageBayUtils.java of the component aedes.me.beta. Performing a m…

CVSS: 2.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Low

CVE-2026-4217

A security vulnerability has been detected in XREAL Nebula App up to 3.2.1 on Android. This impacts an unknown function of the file in ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java of the com…

CVSS: 2.5 CWE: CWE-255 View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox