CVE-2025-68709
Deferred Deferred - Pending Action
JavaScript URI Execution in SailingLab AppLock

Publication date: 2026-05-26

Last updated on: 2026-05-27

Assigner: MITRE

Description
SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker to trigger arbitrary JavaScript execution via BrowserMainActivity, which accepts VIEW intents with javascript: URIs. This unsafe navigation path results in script execution and may allow UI spoofing or privilege escalation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68709
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
alpha applock 4.3.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

However, since the vulnerability allows arbitrary JavaScript execution leading to potential UI spoofing or privilege escalation, it could indirectly affect data security and user privacy, which are critical aspects of these regulations.

Without explicit details on data breach or exposure, the exact compliance impact cannot be determined from the available information.

Executive Summary

CVE-2025-68709 affects the SailingLab AppLock (com.alpha.applock) version 4.3.8 for Android. It allows a local attacker to execute arbitrary JavaScript code through the BrowserMainActivity component by sending specially crafted VIEW intents containing javascript: URIs.

This unsafe navigation path leads to script execution, which can result in UI spoofing or privilege escalation attacks.

The vulnerability is classified as a Cross-Site Scripting (XSS) issue and arises when an attacker uses a malicious app or adb command to send an intent with a javascript: URI, exploiting how the component handles such inputs.

Impact Analysis

This vulnerability can allow an attacker with local access to execute arbitrary JavaScript code within the AppLock application.

  • UI spoofing: The attacker can manipulate the user interface to trick users into performing unintended actions.
  • Privilege escalation: The attacker may gain higher privileges within the app or device, potentially bypassing security controls.
Detection Guidance

The vulnerability in SailingLab AppLock 4.3.8 can be detected by checking if the BrowserMainActivity component accepts VIEW intents containing javascript: URIs, which leads to arbitrary JavaScript execution.

One way to test for this vulnerability is to use the Android Debug Bridge (adb) to send a crafted intent with a javascript: URI to the vulnerable component and observe if the script executes.

  • adb shell am start -a android.intent.action.VIEW -d "javascript:alert('XSS')" com.alpha.applock/.BrowserMainActivity

If the alert or any JavaScript execution occurs, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable version 4.3.8 of SailingLab AppLock until a patch or update is available.

Restrict or monitor the use of local apps or adb commands that can send VIEW intents with javascript: URIs to the BrowserMainActivity component.

Consider uninstalling or disabling the app if it is not essential, or applying any official updates or patches provided by the vendor once released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68709. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart