Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-926 — Vulnerability Class 73

73 vulnerabilities classified as CWE-926. AI Chinese analysis included.

CWE-926 represents a critical configuration weakness where Android application components, such as activities, services, or broadcast receivers, are exported without adequate access restrictions. This flaw allows any other application on the device to interact with the component, potentially launching it or accessing sensitive data it contains. Attackers typically exploit this by crafting malicious intents to trigger exported components, thereby bypassing intended security boundaries to execute unauthorized actions or steal private information. To prevent this vulnerability, developers must explicitly define the `android:exported` attribute in the AndroidManifest.xml file, setting it to false for components that do not need to be accessible externally. Furthermore, implementing proper permission checks and intent filters ensures that only trusted applications can interact with these components, maintaining the integrity and confidentiality of the application’s data and functionality.

MITRE CWE Description
The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. The attacks and consequences of improperly exporting a component may depend on the exported component: If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application. If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application. If access to a Content Provider is not restricted to only the expected applications, then malicious applications might be able to access the sensitive data. Note that in Android before 4.2, the Content Provider is automatically exported unless it has been explicitly declared as NOT exported.
Common Consequences (3)
Availability, IntegrityUnexpected State, DoS: Crash, Exit, or Restart, DoS: Instability, Varies by Context
Other applications, possibly untrusted, can launch the Activity.
Availability, IntegrityUnexpected State, Gain Privileges or Assume Identity, DoS: Crash, Exit, or Restart, DoS: Instability, Varies by Context
Other applications, possibly untrusted, can bind to the Service.
Confidentiality, IntegrityRead Application Data, Modify Application Data
Other applications, possibly untrusted, can read or modify the data that is offered by the Content Provider.
Mitigations (4)
Build and CompilationIf they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.
Build and CompilationIf you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you.
Build and Compilation, Architecture and DesignLimit Content Provider permissions (read/write) as appropriate.
Build and Compilation, Architecture and DesignLimit Content Provider permissions (read/write) as appropriate.
Examples (2)
This application is exporting an activity and a service in its manifest.xml:
<activity android:name="com.example.vulnerableApp.mainScreen"> ... <intent-filter> <action android:name="com.example.vulnerableApp.OPEN_UI" /> <category android:name="android.intent.category.DEFAULT" /> </intent-filter> ... </activity> <service android:name="com.example.vulnerableApp.backgroundService"> ... <intent-filter> <action android:name="com.example.vulnerableApp.START_BACKGROUND" /> </intent-filter> ... </service>
Bad · XML
This application has created a content provider to enable custom search suggestions within the application:
<provider> android:name="com.example.vulnerableApp.searchDB" android:authorities="com.example.vulnerableApp.searchDB"> </provider>
Bad · XML
CVE IDTitleCVSSSeverityPublished
CVE-2025-8512 TVB Big Big Shop App hk.com.tvb.bigbigshop AndroidManifest.xml improper export of android application components — Big Big Shop App 5.3 Medium2025-08-03
CVE-2025-8275 bsc Peru Cocktails App bsc.devy.peru_cocktails AndroidManifest.xml improper export of android application components — Peru Cocktails App 5.3 Medium2025-07-28
CVE-2025-8258 Cool Mo Maigcal Number App com.sdmagic.number AndroidManifest.xml improper export of android application components — Maigcal Number App 5.3 Medium2025-07-28
CVE-2025-8257 Lobby Universe Lobby App com.maverick.lobby AndroidManifest.xml improper export of android application components — Lobby App 5.3 Medium2025-07-28
CVE-2025-8210 Yeelink Yeelight App com.yeelight.cherry AndroidManifest.xml improper export of android application components — Yeelight App 5.3 Medium2025-07-26
CVE-2025-8207 Canara ai1 Mobile Banking App com.canarabank.mobility AndroidManifest.xml improper export of android application components — ai1 Mobile Banking App 5.3 Medium2025-07-26
CVE-2025-7940 Genshin Albedo Cat House App com.house.auscat AndroidManifest.xml improper export of android application components — Albedo Cat House App 5.3 Medium2025-07-21
CVE-2025-7893 Foresight News App pro.foresightnews.appa AndroidManifest.xml improper export of android application components — News App 5.3 Medium2025-07-20
CVE-2025-7892 IDnow App de.idnow AndroidManifest.xml improper export of android application components — IDnow App 5.3 Medium2025-07-20
CVE-2025-7891 InstantBits Web Video Cast App com.instantbits.cast.webvideo AndroidManifest.xml improper export of android application components — Web Video Cast App 5.3 Medium2025-07-20
CVE-2025-7890 Dunamu StockPlus App com.dunamu.stockplus AndroidManifest.xml improper export of android application components — StockPlus App 5.3 Medium2025-07-20
CVE-2025-7889 CallApp Caller ID App caller.id.phone.number.block AndroidManifest.xml improper export of android application components — Caller ID App 5.3 Medium2025-07-20
CVE-2025-5346 File removal via path traversal in unsecured broadcast receiver in Bluebird barcode scanner application — kr.co.bluebird.android.bbsettings 5.5AIMediumAI2025-07-17
CVE-2025-5344 Exposed AIDL service allowing for tampering of system secure settings in Bluebird kiosk application — com.bluebird.kiosk.launcher 3.3AILowAI2025-07-17
CVE-2025-5345 Exposed AIDL service allowing to read and delete files with system-level privileges in Bluebird filemanager application — com.bluebird.filemanagers 7.8AIHighAI2025-07-17
CVE-2024-13917 Intent Injection in Kruger&Matz AppLock application — com.pri.applock 7.7AIHighAI2025-05-30
CVE-2024-13916 Exposure of Applications' Encryption PINs in Kruger&Matz AppLock — com.pri.applock 5.5AIMediumAI2025-05-30
CVE-2024-13915 Unrestricted Access to Exported Service in com.pri.factorytest — com.pri.factorytest 6.1AIMediumAI2025-05-30
CVE-2025-27599 Element X Android vulnerable to loading malicious web pages via received intent — element-x-android 6.5 Medium2025-04-18
CVE-2024-6051 Cross Application Scripting in Redlink SDK — Redlink SDK 5.4 -2024-09-30
CVE-2024-3479 Motorola Enterprise MotoDpms Provider 安全漏洞 — Phones 2.8 Low2024-05-03
CVE-2023-41823 Motorola Phone Extension 安全漏洞 — Phones 4.4 Medium2024-05-03
CVE-2023-41822 Motorola Interface Test Tool 安全漏洞 — Phones 4.8 Medium2024-05-03
CVE-2023-41821 Motorola Setup 安全漏洞 — Phones 5.0 Medium2024-05-03
CVE-2023-41816 Motorola Services Main 安全漏洞 — Phones 5.0 Medium2024-05-03
CVE-2024-27086 MSAL.NET applications targeting Xamarin Android and .NET Android (MAUI) susceptible to local denial of service — microsoft-authentication-library-for-dotnet 3.9 Low2024-04-16
CVE-2021-4438 kyivstarteam react-native-sms-user-consent SmsUserConsentModule.kt registerReceiver improper export of android application components — react-native-sms-user-consent 5.3 Medium2024-04-07
CVE-2023-41829 Motorola Carrier 安全漏洞 — Phones 5.0 Medium2024-03-04
CVE-2023-41827 Motorola OTA 安全漏洞 — Phones 5.1 Medium2024-03-04
CVE-2023-41960 Bosch ctrlX HMI Web Panel WR21 安全漏洞 — ctrlX HMI Web Panel - WR21 (WR2107) 7.1 High2023-10-25

Vulnerabilities classified as CWE-926 represent 73 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.