PT-2026-52636 · Shenzhen I365 Tech Co. · Setracker2 Parental Control App (Android) Package Com.Tgelec.Setracker

Huancheng Hu

Published

2026-06-25

Updated

2026-06-26

CVE-2026-9221

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID. With the session ID exposed, an attacker could impersonate the legitimate user and issue authenticated API requests.

Fix

Use of a Broken Cryptographic Algorithm

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-327

Related Identifiers

CVE-2026-9221

Affected Products

Setracker2 Parental Control App (Android) Package Com.Tgelec.Setracker

PT-2026-52636 · Shenzhen I365 Tech Co. · Setracker2 Parental Control App (Android) Package Com.Tgelec.Setracker

CVE-2026-9221

Weakness Enumeration

Related Identifiers

Affected Products

References · 2