Description
Cross-Site Scripting (XSS) in GeniexWebView component in Transsion AI Assistant Lifestyle application (com.transsion.aiassistantlifestyle) all versions on Android allows remote attacker to execute arbitrary JavaScript in the WebView context via crafted web_action_data URL parameter.
Published: 2026-06-02
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Scripting was discovered in the GeniexWebView component of Transsion AI Assistant Lifestyle for Android. The flaw allows a remote attacker to supply a crafted web_action_data URL parameter that is passed unsanitized to the WebView. By injecting JavaScript into that parameter, an attacker can execute arbitrary code in the context of the application, potentially leaking sensitive data or hijacking the user’s session.

Affected Systems

All Android versions of TECNO Mobile’s com.transsion.aiassistantlifestyle application are affected. The vulnerability exists across all releases of the app currently on the market.

Risk and Exploitability

The CVSS score is 6.1, and the EPSS score is < 1%. The issue is categorized as a classic XSS which can be triggered by an attacker who controls a link or URL. Because the attack requires only the delivery of a malicious web_action_data value, the risk is high if users click suspicious links or open URLs from untrusted sources. The vulnerability is not listed in CISA’s KEV catalog, yet it remains a significant security concern until a vendor patch is issued.

Generated by OpenCVE AI on June 2, 2026 at 15:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest available version of the app that addresses the XSS flaw.
  • If no patched version exists, uninstall the application to eliminate the threat.
  • Employ a mobile security solution that monitors URL activity and blocks suspicious web_action_data parameters until a vendor patch is released.

Generated by OpenCVE AI on June 2, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Tecno
Tecno com.transsion.aiassistantlifestyle
Vendors & Products Tecno
Tecno com.transsion.aiassistantlifestyle

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting (XSS) in GeniexWebView component in Transsion AI Assistant Lifestyle application (com.transsion.aiassistantlifestyle) all versions on Android allows remote attacker to execute arbitrary JavaScript in the WebView context via crafted web_action_data URL parameter.
Title GeniexWebView XSS in com.transsion.aiassistantlifestyle
Weaknesses CWE-79
References

Subscriptions

Tecno Com.transsion.aiassistantlifestyle
cve-icon MITRE

Status: PUBLISHED

Assigner: TECNOMobile

Published:

Updated: 2026-06-02T13:35:44.676Z

Reserved: 2026-06-01T03:45:49.551Z

Link: CVE-2026-10510

cve-icon Vulnrichment

Updated: 2026-06-02T13:35:41.235Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T03:16:15.933

Modified: 2026-06-02T14:50:37.260

Link: CVE-2026-10510

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:52:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')