Description
A weakness has been identified in Chess Play and Learn App up to 4.9.42 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.chess. This manipulation causes exposure of backup file to an unauthorized control sphere. It is feasible to perform the attack on the physical device. The exploit has been made available to the public and could be used for attacks. Upgrading the affected component is advised. The vendor was informed early about this issue. They confirmed the existence and that they will address it. Furthermore, they explain that their bug bounty "explicitly excludes physical-access attacks". However, they appreciate the quality of the report and aim at making a goodwill payment to the researcher.
Published: 2026-06-28
Score: 2.4 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Chess Play and Learn App for Android, versions up to 4.9.42, contains a weakness that improperly processes the AndroidManifest.xml file for the com.chess component. This flaw permits a local attacker with physical access to the device to manipulate or read the app’s backup file, thereby exposing sensitive information to an unauthorized control sphere. The root cause is a broken access control (CWE‑285) coupled with an unnecessary open permission (CWE‑530).

Affected Systems

The vulnerability affects the Chess:Play and Learn App on Android devices running version 4.9.42 or earlier. It originates in the com.chess component’s handling of the AndroidManifest.xml backup logic.

Risk and Exploitability

The CVSS score of 2.4 indicates a low score, and the EPSS score is not available, so the exploitation probability is not quantified. The attack vector requires physical access to the device, limiting the threat to local attackers. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation to date, but public exploit code has been released and the vendor has confirmed the issue and plans a fix. Overall, the risk is moderate: devices that can be physically accessed remain vulnerable until patched.

Generated by OpenCVE AI on June 29, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chess:Play and Learn App to a version newer than 4.9.42, which removes the faulty backup handling.
  • If an update is not immediately available, restrict the app’s participation in Android’s backup mechanism by disabling backup for the com.chess component or removing the app from the backup whitelist.
  • For devices that already have the patched application, enable full disk encryption and restrict physical access to prevent local attackers from exploiting any remaining backup artifacts.

Generated by OpenCVE AI on June 29, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Chess Play and Learn App up to 4.9.42 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.chess. This manipulation causes exposure of backup file to an unauthorized control sphere. It is feasible to perform the attack on the physical device. The exploit has been made available to the public and could be used for attacks. Upgrading the affected component is advised. The vendor was informed early about this issue. They confirmed the existence and that they will address it. Furthermore, they explain that their bug bounty "explicitly excludes physical-access attacks". However, they appreciate the quality of the report and aim at making a goodwill payment to the researcher.
Title Chess Play and Learn App com.chess AndroidManifest.xml backup
First Time appeared Chess
Chess play And Learn App
Weaknesses CWE-285
CWE-530
CPEs cpe:2.3:a:chess:play_and_learn_app:*:*:*:*:*:*:*:*
Vendors & Products Chess
Chess play And Learn App
References
Metrics cvssV2_0

{'score': 2.1, 'vector': 'AV:L/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 2.4, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Chess Play And Learn App
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-28T23:15:11.940Z

Reserved: 2026-06-28T06:40:38.081Z

Link: CVE-2026-13514

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T00:30:04Z

Weaknesses
  • CWE-285

    Improper Authorization

  • CWE-530

    Exposure of Backup File to an Unauthorized Control Sphere