CVE-2026-58460
Received Received - Intake

Path Traversal in React Native Receive Sharing Intent

Vulnerability report for CVE-2026-58460, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

react-native-receive-sharing-intent contains a path traversal vulnerability that allows a co-resident malicious application to write files outside the intended cache directory by supplying a crafted _display_name value containing dot-dot path components through a malicious ContentProvider. Attackers can fire an explicit ACTION_SEND intent at the consuming app's exported share-receiver activity to overwrite arbitrary files in the consuming app's private data directory, including databases, shared preferences, and cached configuration, with attacker-controlled content.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in react-native-receive-sharing-intent and is a path traversal issue. It allows a malicious application running on the same device to write files outside the intended cache directory by providing a specially crafted _display_name value containing dot-dot path components. This is done through a malicious ContentProvider.

An attacker can send an explicit ACTION_SEND intent to the target app's exported share-receiver activity, which then allows the attacker to overwrite arbitrary files in the target app's private data directory. This includes critical files such as databases, shared preferences, and cached configuration files, replacing them with attacker-controlled content.

Impact Analysis

This vulnerability can have serious impacts because it allows an attacker to overwrite important files within the affected application's private data directory. This can lead to data corruption, loss of user data, or manipulation of application behavior.

  • Attackers can overwrite databases, potentially corrupting or altering stored data.
  • Shared preferences can be overwritten, which may affect app settings or user preferences.
  • Cached configuration files can be replaced, possibly changing how the app operates.

Overall, this can lead to integrity and availability issues within the app, potentially causing denial of service or unauthorized modification of app data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58460. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart