Description
A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android. This affects an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in handler for custom url scheme. The attack can only be executed locally. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-14
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Moovit Bus & Public Transit App version 1.18 on Android allows a local attacker to manipulate requests that target the app’s custom URL scheme. The misuse of the com.tranzmate component bypasses the intended authorization checks, enabling an attacker to invoke privileged functionality or send commands that the application should reject.

Affected Systems

The vulnerability affects Moovit Bus & Public Transit App, specifically version 1.18 on Android, where the defect resides in an unspecified part of the com.tranzmate component.

Risk and Exploitability

The CVSS score of 4.8 classifies this as a moderate severity vulnerability. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, indicating that no large‑scale exploitation has been reported. Nevertheless, a published exploit exists, and because the attack can only be carried out locally, the risk is constrained to scenarios where a malicious user has code running on the victim’s device or can trigger the custom URL scheme through a malicious app.

Generated by OpenCVE AI on June 15, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑released patch that addresses the improper authorization flaw in the com.tranzmate custom URL scheme (CWE‑285).
  • If a patch is not yet available, disable the app’s handling of the custom URL scheme or block com.tranzmate intents in Android to prevent unauthorized invocation (CWE‑285).
  • Limit exposure by ensuring only trusted code can trigger the custom URL scheme, for example by configuring Android app‑intent filters or using a firewall to block untrusted intents, thereby mitigating the potential misuse of the custom URL scheme path (CWE‑939).

Generated by OpenCVE AI on June 15, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android. This affects an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in handler for custom url scheme. The attack can only be executed locally. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Moovit Bus & Public Transit App com.tranzmate improper authorization in handler for custom url scheme
First Time appeared Moovit
Moovit bus Public Transit App
Weaknesses CWE-285
CWE-939
CPEs cpe:2.3:a:moovit:bus_public_transit_app:*:*:*:*:*:*:*:*
Vendors & Products Moovit
Moovit bus Public Transit App
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Moovit Bus Public Transit App
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-14T22:30:08.830Z

Reserved: 2026-06-14T06:36:17.689Z

Link: CVE-2026-12189

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-14T23:16:35.623

Modified: 2026-06-14T23:16:35.623

Link: CVE-2026-12189

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T01:00:08Z

Weaknesses
  • CWE-285

    Improper Authorization

  • CWE-939

    Improper Authorization in Handler for Custom URL Scheme