Description
EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use adb logcat to extract plaintext passwords logged during the forgot password function, exposing user account credentials.
Published: 2026-03-22
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential Disclosure via Logcat
Action: Apply Patch
AI Analysis

Impact

EquityPandit 1.0 logs sensitive user credentials in plaintext during the forgot‑password flow. As a result, an attacker who can read the device’s developer console logs can acquire user passwords, undermining confidentiality and enabling account compromise. The vulnerability is a classic case of insecure credential storage and logging, classified as CWE‑612.

Affected Systems

The affected product is EquityPandit version 1.0, a mobile application available on the Google Play store. No other versions are listed or known to be affected based on the current advisories.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. Although an EPSS score is not provided, the attack requires access to the device via Android Debug Bridge, which typically requires the device to have debugging enabled or physical access. The vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed large‑scale exploitation yet. Nevertheless, the potential to harvest credentials is significant, and the attack vector is relatively straightforward once debugging is available.

Generated by OpenCVE AI on March 22, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install any newer EquityPandit releases that remove insecure logging.
  • Disable Android Debug Bridge (ADB) on devices unless it is absolutely required, or restrict its use to trusted users only.
  • Modify the application to eliminate logging of plaintext passwords during authentication processes.

Generated by OpenCVE AI on March 22, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Play
Play equitypandit
Vendors & Products Play
Play equitypandit

Sun, 22 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use adb logcat to extract plaintext passwords logged during the forgot password function, exposing user account credentials.
Title EquityPandit 1.0 Insecure Logging Information Disclosure
Weaknesses CWE-612
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Play Equitypandit
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T19:14:48.383Z

Reserved: 2026-03-22T13:06:51.975Z

Link: CVE-2019-25605

cve-icon Vulnrichment

Updated: 2026-03-23T19:14:32.063Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-22T14:16:28.260

Modified: 2026-03-23T14:31:37.267

Link: CVE-2019-25605

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:46:11Z

Weaknesses