Description
ADB Explorer is a fluent UI for ADB on Windows. Versions 0.9.26020 and below fail to validate the integrity or authenticity of the ADB binary path specified in the ManualAdbPath setting before executing it, allowing arbitrary code execution with the privileges of the current user. An attacker can exploit this by crafting a malicious App.txt settings file that points ManualAdbPath to an arbitrary executable, then convincing a victim to launch the application with a command-line argument directing it to the malicious configuration directory. This vulnerability could be leveraged through social engineering tactics, such as distributing a shortcut bundled with a crafted settings file in an archive, resulting in RCE upon application startup. Thus issue has been fixed in version 0.9.26021.
Published: 2026-02-19
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability results from the ADB Explorer application failing to verify the integrity or authenticity of the ADB binary path set in the ManualAdbPath configuration. An attacker can craft an App.txt file that points this setting to any executable, which the application will run with the current user’s privileges. The weakness is classified as CWE‑829, exposing the application to arbitrary code execution.

Affected Systems

The issue affects the ADB Explorer utility developed by Alex4SSB for Windows, specifically all releases version 0.9.26020 and earlier. Users should confirm the installed version and update if the affected range applies.

Risk and Exploitability

The CVSS base score of 7.8 marks the vulnerability as high severity, yet the EPSS score of less than 1% indicates a low likelihood of exploitation at present, and it is not listed in the CISA KEV catalog. Exploitation typically requires social engineering—delivering a malicious configuration directory via a shortcut or other launch method—so environments that routinely run ADB Explorer from untrusted locations or rely on user‑supplied launch scripts are at higher risk.

Generated by OpenCVE AI on April 17, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released update to ADB Explorer 0.9.26021 or later.
  • Restrict the ability to modify the ManualAdbPath setting in the configuration files to trusted administrators.
  • Verify that any shortcut or launch script used to start ADB Explorer does not reference untrusted configuration directories and that App.txt files originate from reliable sources.

Generated by OpenCVE AI on April 17, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Alex4ssb
Alex4ssb adb-explorer
Vendors & Products Alex4ssb
Alex4ssb adb-explorer

Thu, 19 Feb 2026 23:45:00 +0000

Type Values Removed Values Added
Description ADB Explorer is a fluent UI for ADB on Windows. Versions 0.9.26020 and below fail to validate the integrity or authenticity of the ADB binary path specified in the ManualAdbPath setting before executing it, allowing arbitrary code execution with the privileges of the current user. An attacker can exploit this by crafting a malicious App.txt settings file that points ManualAdbPath to an arbitrary executable, then convincing a victim to launch the application with a command-line argument directing it to the malicious configuration directory. This vulnerability could be leveraged through social engineering tactics, such as distributing a shortcut bundled with a crafted settings file in an archive, resulting in RCE upon application startup. Thus issue has been fixed in version 0.9.26021.
Title ADB Explorer Vulnerable to RCE via Insufficient Input Validation
Weaknesses CWE-829
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Alex4ssb Adb-explorer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:37:40.828Z

Reserved: 2026-02-16T22:20:28.611Z

Link: CVE-2026-26959

cve-icon Vulnrichment

Updated: 2026-02-20T15:29:28.891Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T00:16:16.000

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses