Description
ADB Explorer is a fluent UI for ADB on Windows. Prior to Beta 0.9.26020, ADB Explorer is vulnerable to Insecure Deserialization leading to Remote Code Execution. The application attempts to deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set to Objects. This allows an attacker to supply a crafted JSON file containing a gadget chain (e.g., ObjectDataProvider) to execute arbitrary code when the application launches and subsequently saves its settings. This vulnerability is fixed in Beta 0.9.26020.
Published: 2026-02-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

ADB Explorer deserializes the App.txt settings file with Newtonsoft.Json configured to allow object type handling, creating an insecure deserialization vulnerability. A crafted JSON file containing a gadget chain, such as ObjectDataProvider, can be supplied as App.txt and will cause the application to execute arbitrary code when it runs and subsequently saves its settings, resulting in compromise of the host’s integrity and confidentiality.

Affected Systems

This flaw exists in all versions of ADB Explorer released by Alex4SSB before Beta 0.9.26020. The fix was applied in the Beta 0.9.26020 release, and any installed instance running a prior version remains vulnerable.

Risk and Exploitability

The CVSS score of 7.8 reflects high severity, while the EPSS score of less than 1% indicates a low but non‑zero likelihood of exploitation. The likely attack vector is an attacker who can place a malicious App.txt file—through social engineering of a local user, a compromised account, or physical access—to trigger the payload when the application starts. Although the vulnerability is not listed in CISA’s KEV catalog and no public exploit has been documented, the mechanic permits full remote code execution on the host, making immediate patching a top priority.

Generated by OpenCVE AI on April 18, 2026 at 18:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ADB Explorer to any release version equal to or newer than Beta 0.9.26020, which removes the insecure deserialization handling.
  • If an upgrade cannot be applied immediately, replace the existing App.txt with a clean copy from a trusted source and set its file permissions to read‑only for all users to prevent an attacker from supplying a malicious version; consider restricting write access to the directory containing App.txt.
  • Configure Newtonsoft.Json in the application (if exposed to code changes) to disallow TypeNameHandling by setting TypeNameHandling to None or limiting it to specific trusted types.

Generated by OpenCVE AI on April 18, 2026 at 18:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Alex4ssb
Alex4ssb adb-explorer
Vendors & Products Alex4ssb
Alex4ssb adb-explorer

Fri, 13 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description ADB Explorer is a fluent UI for ADB on Windows. Prior to Beta 0.9.26020, ADB Explorer is vulnerable to Insecure Deserialization leading to Remote Code Execution. The application attempts to deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set to Objects. This allows an attacker to supply a crafted JSON file containing a gadget chain (e.g., ObjectDataProvider) to execute arbitrary code when the application launches and subsequently saves its settings. This vulnerability is fixed in Beta 0.9.26020.
Title ADB Explorer Vulnerable to Remote Code Execution via Insecure Deserialization
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Alex4ssb Adb-explorer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-13T19:21:56.476Z

Reserved: 2026-02-11T19:56:24.814Z

Link: CVE-2026-26208

cve-icon Vulnrichment

Updated: 2026-02-13T19:21:48.389Z

cve-icon NVD

Status : Deferred

Published: 2026-02-13T19:17:29.420

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:15:06Z

Weaknesses