CVE-2026-24490
Stored XSS in MobSF Android Manifest Analysis Enables Account Takeover
Publication date: 2026-01-27
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensecurity | mobile_security_framework | to 4.4.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24490 is a Stored Cross-Site Scripting (XSS) vulnerability in the Mobile Security Framework (MobSF) prior to version 4.4.5. It occurs during the analysis of Android APKs that contain a <data> element with android:scheme="android_secret_code" in the manifest. MobSF extracts the android:host attribute from this element and inserts it directly into the HTML static analysis report without proper sanitization or escaping. This allows an attacker to upload a malicious APK with a crafted payload in the android:host attribute, which then executes arbitrary JavaScript in the context of a victim's browser session when viewing the report. This vulnerability enables session hijacking and account takeover. [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to execute arbitrary JavaScript in your browser session when you view the analysis report generated by MobSF. This can lead to session hijacking and account takeover, compromising your user credentials and potentially giving the attacker unauthorized access to your MobSF instance. The attack requires uploading a malicious APK and viewing the resulting report, so users analyzing untrusted APKs are at risk. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing APK files uploaded to MobSF for the presence of malicious payloads in the android:host attribute within <data android:scheme="android_secret_code"> elements in the Android manifest. Specifically, you can look for suspicious or unexpected JavaScript code embedded in this attribute. Since the vulnerability manifests when MobSF generates HTML reports with unsanitized input, monitoring or scanning the generated reports for embedded scripts or unusual HTML content can help detect exploitation attempts. There are no specific commands provided in the resources, but a practical approach is to upload APKs to MobSF and inspect the static analysis reports for any unexpected JavaScript execution or payloads in the manifest analysis section. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade MobSF to version 4.4.5 or later, which includes a fix for this Stored Cross-Site Scripting (XSS) vulnerability by removing unsafe rendering of user-controlled input in the HTML reports. Additionally, ensure that all dependencies, such as Django, are updated to secure versions as included in the 4.4.5 release. Avoid uploading untrusted APKs to vulnerable versions of MobSF and restrict access to MobSF instances to trusted users to reduce risk until the update is applied. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary JavaScript execution leading to session hijacking and account takeover, which can result in unauthorized access to sensitive data. Such unauthorized access and potential data breaches could negatively impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information. However, specific compliance impacts are not detailed in the provided resources. [2]