Executive Summary

CVE-2026-24490 is a Stored Cross-Site Scripting (XSS) vulnerability in the Mobile Security Framework (MobSF) prior to version 4.4.5. It occurs during the analysis of Android APKs that contain a <data> element with android:scheme="android_secret_code" in the manifest. MobSF extracts the android:host attribute from this element and inserts it directly into the HTML static analysis report without proper sanitization or escaping. This allows an attacker to upload a malicious APK with a crafted payload in the android:host attribute, which then executes arbitrary JavaScript in the context of a victim's browser session when viewing the report. This vulnerability enables session hijacking and account takeover. [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to execute arbitrary JavaScript in your browser session when you view the analysis report generated by MobSF. This can lead to session hijacking and account takeover, compromising your user credentials and potentially giving the attacker unauthorized access to your MobSF instance. The attack requires uploading a malicious APK and viewing the resulting report, so users analyzing untrusted APKs are at risk. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by analyzing APK files uploaded to MobSF for the presence of malicious payloads in the android:host attribute within <data android:scheme="android_secret_code"> elements in the Android manifest. Specifically, you can look for suspicious or unexpected JavaScript code embedded in this attribute. Since the vulnerability manifests when MobSF generates HTML reports with unsanitized input, monitoring or scanning the generated reports for embedded scripts or unusual HTML content can help detect exploitation attempts. There are no specific commands provided in the resources, but a practical approach is to upload APKs to MobSF and inspect the static analysis reports for any unexpected JavaScript execution or payloads in the manifest analysis section. [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade MobSF to version 4.4.5 or later, which includes a fix for this Stored Cross-Site Scripting (XSS) vulnerability by removing unsafe rendering of user-controlled input in the HTML reports. Additionally, ensure that all dependencies, such as Django, are updated to secure versions as included in the 4.4.5 release. Avoid uploading untrusted APKs to vulnerable versions of MobSF and restrict access to MobSF instances to trusted users to reduce risk until the update is applied. [1, 3]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows arbitrary JavaScript execution leading to session hijacking and account takeover, which can result in unauthorized access to sensitive data. Such unauthorized access and potential data breaches could negatively impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information. However, specific compliance impacts are not detailed in the provided resources. [2]

Useful 0 Not Useful 0