CVE-2026-5471
Hard-Coded Cryptographic Key in Investory Toy Planet App
Publication date: 2026-04-03
Last updated on: 2026-04-03
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| investory | toy_planet_trouble_app | to 1.5.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-320 | Key Management Errors |
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Investory Toy Planet Trouble App up to version 1.5.5 on Android. It involves the use of a hard-coded cryptographic key within the file assets/google-services-desktop.json. Specifically, the vulnerability arises from manipulation of the argument current_key, which leads to the use of this hard-coded key. The attack must be performed locally, and the exploit is publicly available.
How can this vulnerability impact me? :
The impact of this vulnerability is limited but present. Because a hard-coded cryptographic key is used, an attacker with local access could potentially exploit this to compromise confidentiality (partial data exposure) of some information protected by the key. However, the vulnerability does not affect integrity or availability, and the overall severity is low based on CVSS scores.