CWE-926
AllowedImproper Export of Android Application Components
Abstraction: Variant · Status: Incomplete
The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.
147 vulnerabilities reference this CWE, most recent first.
GHSA-8GRM-Q26G-C368
Vulnerability from github – Published: 2025-08-04 21:30 – Updated: 2025-08-04 21:30A vulnerability has been found in RiderLike Fruit Crush-Brain App 1.0 on Android and classified as problematic. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.fruitcrush.fun. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-8523"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-04T20:15:31Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in RiderLike Fruit Crush-Brain App 1.0 on Android and classified as problematic. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.fruitcrush.fun. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-8grm-q26g-c368",
"modified": "2025-08-04T21:30:43Z",
"published": "2025-08-04T21:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8523"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.fruitcrush.fun.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.318649"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.318649"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.619035"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8H69-QHJ8-JP44
Vulnerability from github – Published: 2023-05-04 21:30 – Updated: 2024-04-04 03:48Improper export of android application components vulnerability in VideoPreviewActivity in Call Settings to SMR May-2023 Release 1 allows physical attackers to access some media data stored in sandbox.
{
"affected": [],
"aliases": [
"CVE-2023-21485"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-04T21:15:09Z",
"severity": "MODERATE"
},
"details": "Improper export of android application components vulnerability in VideoPreviewActivity in Call Settings to SMR May-2023 Release 1 allows physical attackers to access some media data stored in sandbox.",
"id": "GHSA-8h69-qhj8-jp44",
"modified": "2024-04-04T03:48:19Z",
"published": "2023-05-04T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21485"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2023\u0026month=05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9GV2-XGVF-CJ9J
Vulnerability from github – Published: 2025-08-04 21:30 – Updated: 2025-08-04 21:30A vulnerability was found in Boquan DotWallet App 2.15.2 on Android and classified as problematic. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.boquanhash.dotwallet. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-8524"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-04T20:15:32Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Boquan DotWallet App 2.15.2 on Android and classified as problematic. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.boquanhash.dotwallet. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-9gv2-xgvf-cj9j",
"modified": "2025-08-04T21:30:43Z",
"published": "2025-08-04T21:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8524"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.boquanhash.dotwallet.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.318650"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.318650"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.619037"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9M9C-M3M8-59VC
Vulnerability from github – Published: 2025-05-30 18:31 – Updated: 2025-06-10 09:30Android based smartphones from vendors such as Ulefone and Krüger&Matz contain "com.pri.factorytest" application preloaded onto devices during manufacturing process. The application "com.pri.factorytest" (version name: 1.0, version code: 1) exposes a ”com.pri.factorytest.emmc.FactoryResetService“ service allowing any application to perform a factory reset of the device. Application update did not increment the APK version. Instead, it was bundled in OS builds released later than December 2024 (Ulefone) and most probably March 2025 (Krüger&Matz, although the vendor has not confirmed it, so newer releases might be vulnerable as well).
{
"affected": [],
"aliases": [
"CVE-2024-13915"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-30T16:15:35Z",
"severity": "MODERATE"
},
"details": "Android based smartphones from vendors such as Ulefone and\u00a0Kr\u00fcger\u0026Matz contain \"com.pri.factorytest\" application preloaded onto devices during manufacturing process.\nThe application\u00a0\"com.pri.factorytest\"\u00a0(version name: 1.0, version code: 1)\u00a0exposes a \u201dcom.pri.factorytest.emmc.FactoryResetService\u201c service allowing any application to perform a factory reset of the device.\u00a0\nApplication update did not increment the APK version. Instead, it was bundled in OS builds released later than December 2024 (Ulefone) and most probably March 2025 (Kr\u00fcger\u0026Matz, although the vendor has not confirmed it, so newer releases might be vulnerable as well).",
"id": "GHSA-9m9c-m3m8-59vc",
"modified": "2025-06-10T09:30:30Z",
"published": "2025-05-30T18:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13915"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2025/05/CVE-2024-13915"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9R2Q-7JGQ-5XJC
Vulnerability from github – Published: 2025-09-04 21:31 – Updated: 2025-09-05 18:31In onStart of BiometricEnrollIntroduction.java, there is a possible way to determine the device's location due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2025-32347"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T19:15:37Z",
"severity": "HIGH"
},
"details": "In onStart of BiometricEnrollIntroduction.java, there is a possible way to determine the device\u0027s location due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.",
"id": "GHSA-9r2q-7jgq-5xjc",
"modified": "2025-09-05T18:31:19Z",
"published": "2025-09-04T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32347"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/packages/apps/Settings/+/25cfacbe5ac2423b8fe1375e0593ef69e98b8d09"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2025-09-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9V3X-RMCF-RHP4
Vulnerability from github – Published: 2025-08-19 12:31 – Updated: 2026-04-29 04:12A vulnerability was detected in Verkehrsauskunft Österreich SmartRide, cleVVVer and BusBahnBim up to 12.1.1(258). The impacted element is an unknown function of the file AndroidManifest.xml. The manipulation results in improper export of android application components. The attack must be initiated from a local position. The exploit is now public and may be used. Upgrading to version 12.1.2(259) is sufficient to resolve this issue. Upgrading the affected component is recommended.
{
"affected": [],
"aliases": [
"CVE-2025-9135"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-19T11:15:30Z",
"severity": "MODERATE"
},
"details": "A vulnerability was detected in Verkehrsauskunft \u00d6sterreich SmartRide, cleVVVer and BusBahnBim up to 12.1.1(258). The impacted element is an unknown function of the file AndroidManifest.xml. The manipulation results in improper export of android application components. The attack must be initiated from a local position. The exploit is now public and may be used. Upgrading to version 12.1.2(259) is sufficient to resolve this issue. Upgrading the affected component is recommended.",
"id": "GHSA-9v3x-rmcf-rhp4",
"modified": "2026-04-29T04:12:03Z",
"published": "2025-08-19T12:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9135"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/de.hafas.android.vvt.md"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/de.hafas.android.vvt.md#steps-to-reproduce"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.320515"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.320515"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.615276"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.615278"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.628235"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C3V6-6XR7-WXJ8
Vulnerability from github – Published: 2025-08-18 03:30 – Updated: 2025-08-18 03:30A security vulnerability has been detected in 1&1 Mail & Media mail.com App 8.8.0 on Android. Affected is an unknown function of the file AndroidManifest.xml of the component com.mail.mobile.android.mail. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-9102"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-18T03:15:28Z",
"severity": "MODERATE"
},
"details": "A security vulnerability has been detected in 1\u00261 Mail \u0026 Media mail.com App 8.8.0 on Android. Affected is an unknown function of the file AndroidManifest.xml of the component com.mail.mobile.android.mail. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-c3v6-6xr7-wxj8",
"modified": "2025-08-18T03:30:26Z",
"published": "2025-08-18T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9102"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.mail.mobile.android.mail.md"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.mail.mobile.android.mail.md#steps-to-reproduce"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.320424"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.320424"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.628264"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CRW4-X7C5-52F3
Vulnerability from github – Published: 2024-05-03 15:30 – Updated: 2024-05-03 15:30An improper export vulnerability was reported in the Motorola Phone Extension application, that could allow a local attacker to execute unauthorized Activities.
{
"affected": [],
"aliases": [
"CVE-2023-41823"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T14:15:09Z",
"severity": "MODERATE"
},
"details": "\nAn improper export vulnerability was reported in the Motorola Phone Extension application, that could allow a local attacker to execute unauthorized Activities.\u00a0\n\n",
"id": "GHSA-crw4-x7c5-52f3",
"modified": "2024-05-03T15:30:53Z",
"published": "2024-05-03T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41823"
},
{
"type": "WEB",
"url": "https://en-us.support.motorola.com/app/answers/detail/a_id/178705"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-CWHX-Q6WR-FWVC
Vulnerability from github – Published: 2024-05-03 15:30 – Updated: 2024-05-03 15:30An improper export vulnerability was reported in the Motorola Interface Test Tool application that could allow a malicious local application to execute OS commands.
{
"affected": [],
"aliases": [
"CVE-2023-41822"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T14:15:09Z",
"severity": "MODERATE"
},
"details": "\nAn improper export vulnerability was reported in the Motorola Interface Test Tool application that could allow a malicious local application to execute OS commands.\u00a0\n\n",
"id": "GHSA-cwhx-q6wr-fwvc",
"modified": "2024-05-03T15:30:53Z",
"published": "2024-05-03T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41822"
},
{
"type": "WEB",
"url": "https://en-us.support.motorola.com/app/answers/detail/a_id/178704"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-F6W6-CXF8-5R67
Vulnerability from github – Published: 2025-08-18 03:30 – Updated: 2025-08-18 03:30A vulnerability was determined in Elseplus File Recovery App 4.4.21 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-9098"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-18T01:15:30Z",
"severity": "MODERATE"
},
"details": "A vulnerability was determined in Elseplus File Recovery App 4.4.21 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-f6w6-cxf8-5r67",
"modified": "2025-08-18T03:30:26Z",
"published": "2025-08-18T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9098"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.elseplus.filerecovery.md"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.elseplus.filerecovery.md#steps-to-reproduce"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.320420"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.320420"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.627902"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Strategy: Attack Surface Reduction
If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.
Mitigation
Strategy: Attack Surface Reduction
If you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you.
Mitigation
Strategy: Attack Surface Reduction
Limit Content Provider permissions (read/write) as appropriate.
Mitigation
Strategy: Separation of Privilege
Limit Content Provider permissions (read/write) as appropriate.
No CAPEC attack patterns related to this CWE.