CVE-2026-24490

Published: Jan 27, 2026Modified: Feb 17, 2026

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The `android:host` attribute from `<data android:scheme="android_secret_code">` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover. Version 4.4.5 fixes the issue.

Affected (1)

Products: Opensecurity: Mobile Security Framework

1 product

Mobile Security Framework

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Opensecurity Mobile Security Framework	Before 4.4.5

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (3)

https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/2b08dd050e7685ee2a14fdbb454affab94129eae

Source: security-advisories@github.com

Patch

https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.5

Source: security-advisories@github.com

Release Notes

https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8hf7-h89p-3pqj

Source: security-advisories@github.com

Vendor AdvisoryExploit

Timeline

No history available yet.