Description
CWE-79 vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.
Published: 2026-03-24
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The vulnerability is a cross‑site scripting flaw in MolotovCherry's Android‑ImageMagick7 library. A malicious image file can contain specially crafted data that, when processed by the library, causes arbitrary JavaScript to be executed in the context of the application or a web view. This enables an attacker to steal sensitive data, hijack sessions or perform other malicious actions, thereby compromising confidentiality and integrity. The weakness is identified as CWE‑79, an input validation oversight that permits injection of executable script.

Affected Systems

The issue affects users of MolotovCherry's Android‑ImageMagick7 version 7.1.2‑11 and earlier. Any Android application that incorporates the vulnerable library without upgrading is susceptible to the attack. The CPE listed indicates the product, and the vendor explicitly states that versions prior to 7.1.2‑11 are at risk.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity, while the EPSS score of less than 1% suggests that widespread exploitation is unlikely and the vulnerability is not yet documented in the CISA KEV catalog. Exploitation requires delivery of a malicious image to be processed by the application, which can be achieved remotely or by prompting a user to open a link containing the image. Although not trivial, the impact of successful exploitation is non‑negligible.

Generated by OpenCVE AI on March 26, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Android‑ImageMagick7 library to version 7.1.2‑11 or later.
  • Verify that the application no longer references the vulnerable library version.
  • If an upgrade cannot be performed immediately, monitor the vendor's advisory channels for updates and consider disabling the feature that processes external images until a fix is available.

Generated by OpenCVE AI on March 26, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:molotovcherry:android-imagemagick7:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Molotovcherry
Molotovcherry android-imagemagick7
Vendors & Products Molotovcherry
Molotovcherry android-imagemagick7

Tue, 24 Mar 2026 06:45:00 +0000

Type Values Removed Values Added
Description CWE-79 vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.
Title CWE-79 in MolotovCherry Android-ImageMagick7
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Molotovcherry Android-imagemagick7
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-03-24T13:32:06.967Z

Reserved: 2026-03-24T06:02:48.515Z

Link: CVE-2026-4754

cve-icon Vulnrichment

Updated: 2026-03-24T13:32:01.528Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T07:16:07.350

Modified: 2026-03-26T19:02:47.853

Link: CVE-2026-4754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:14Z

Weaknesses