Description
Improper input validation in Galaxy Store prior to version 4.6.02 allows local attacker to execute arbitrary script.
Published: 2026-01-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Script Execution
Action: Apply Patch
AI Analysis

Impact

This vulnerability arises from improper input validation in the Galaxy Store application, allowing a local attacker to execute arbitrary scripts. The weakness is characterized as an input validation fault, which can lead to unauthorized code execution and compromise the integrity of the affected device. The impact is limited to devices running an affected version of the Galaxy Store, as no remote or network-based exploitation path is described.

Affected Systems

Samsung Mobile’s Galaxy Store application, specifically versions culminating in 4.6.02 and earlier. The issue is confined to installations of the Store prior to the 4.6.02 release, although the specific patch version that removes the flaw is not listed in the provided data.

Risk and Exploitability

The CVSS v3 score of 5.1 classifies the flaw as medium severity, and the EPSS score of less than 1% indicates a low probability of exploitation. Because the attack requires local presence on the device, the scope is limited to users who can physically access or control the device. No indication exists that the vulnerability has been actively exploited in the wild or is listed in CISA’s Known Exploited Vulnerabilities catalog. Thus, the immediate risk to most users remains moderate, contingent upon the likelihood of local compromise.

Generated by OpenCVE AI on April 18, 2026 at 19:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Galaxy Store to version 4.6.02 or later as released by Samsung.
  • If an update cannot be applied immediately, uninstall or disable any older Galaxy Store installations that contain the vulnerability.
  • Enforce local device security controls to restrict script execution permissions and monitor for anomalous script activity until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Title Local Script Execution via Improper Input Validation in Galaxy Store

Thu, 15 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:samsung:galaxy_store:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 09 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung galaxy Store
Vendors & Products Samsung
Samsung galaxy Store

Fri, 09 Jan 2026 06:30:00 +0000

Type Values Removed Values Added
Description Improper input validation in Galaxy Store prior to version 4.6.02 allows local attacker to execute arbitrary script.
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Galaxy Store
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-01-09T19:10:00.532Z

Reserved: 2025-12-11T01:33:35.799Z

Link: CVE-2026-20976

cve-icon Vulnrichment

Updated: 2026-01-09T19:09:58.307Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-09T07:16:04.263

Modified: 2026-01-15T19:43:57.340

Link: CVE-2026-20976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses