CVE-2026-24490

Name of the Vulnerable Software and Affected Versions MobSF versions prior to 4.4.5

Description MobSF is a mobile application security testing tool. A Stored Cross-site Scripting (XSS) vulnerability exists in MobSF’s Android manifest analysis. This allows an attacker to execute arbitrary JavaScript in a victim’s browser session by uploading a malicious APK. Specifically, the android:host attribute from <data android:scheme="android secret code"> elements is rendered in HTML reports without proper sanitization, potentially leading to session hijacking and account takeover. The vulnerability is triggered when MobSF analyzes an Android APK containing a <data> element with android:scheme="android secret code", extracting the android:host attribute and inserting it directly into the analysis report without HTML escaping. The vulnerable code path involves data extraction from the manifest file, template string formatting, and unsafe rendering of the extracted data in the HTML report. A proof-of-concept (PoC) APK has been created to demonstrate the vulnerability.

Recommendations Update MobSF to version 4.4.5 or later.