Description
MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The `android:host` attribute from `<data android:scheme="android_secret_code">` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover. Version 4.4.5 fixes the issue.
Published: 2026-01-27
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting leading to session hijacking and account takeover
Action: Patch
AI Analysis

Impact

MobSF, a mobile application security testing framework, contains a stored XSS vulnerability (CWE‑79) in its Android manifest analysis. The flaw arises when the android:host field of <data android:scheme="android_secret_code"> elements is rendered directly into HTML reports without sanitization. An attacker who uploads a crafted APK can cause arbitrary JavaScript to run in the context of a victim’s browser session, allowing session hijacking and account takeover.

Affected Systems

The issue affects the MobSF Mobile‑Security‑Framework‑MobSF product prior to version 4.4.5. All earlier releases are vulnerable until the 4.4.5 release, which applies the necessary sanitization to the host attribute. Users running any deprecated MobSF build must upgrade to a patched version.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. EPSS is less than 1 %, suggesting a low exploitation probability in the current threat landscape, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path involves an attacker first uploading a malicious APK to the MobSF portal, which triggers the manifest analysis and generates an unsafe report. Successful exploitation then requires the victim to view the generated report in a browser where the injected script can execute.

Generated by OpenCVE AI on April 18, 2026 at 14:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MobSF to version 4.4.5 or later, which sanitizes the host field and removes the vulnerability.
  • Restrict upload permissions so that only trusted users can submit APKs for analysis, or isolate the analysis environment from the public web interface.
  • If a patch cannot be applied immediately, disable or remove the Android manifest analysis feature so that the host attribute is no longer rendered into HTML reports.

Generated by OpenCVE AI on April 18, 2026 at 14:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8hf7-h89p-3pqj MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field
History

Tue, 17 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Opensecurity
Opensecurity mobile Security Framework
CPEs cpe:2.3:a:opensecurity:mobile_security_framework:*:*:*:*:*:*:*:*
Vendors & Products Opensecurity
Opensecurity mobile Security Framework

Tue, 27 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Mobsf
Mobsf mobile Security Framework
Vendors & Products Mobsf
Mobsf mobile Security Framework

Tue, 27 Jan 2026 01:00:00 +0000

Type Values Removed Values Added
Description MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The `android:host` attribute from `<data android:scheme="android_secret_code">` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover. Version 4.4.5 fixes the issue.
Title MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Mobsf Mobile Security Framework
Opensecurity Mobile Security Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T14:43:35.345Z

Reserved: 2026-01-23T00:38:20.549Z

Link: CVE-2026-24490

cve-icon Vulnrichment

Updated: 2026-01-27T14:43:31.128Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T01:16:02.610

Modified: 2026-02-17T20:36:16.200

Link: CVE-2026-24490

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:00:03Z

Weaknesses