PT-2026-60984 · Unknown · Stoat For Android

·

CVE-2026-57848

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Stoat for Android (affected versions not specified)
Description Stoat for Android exports the chat.stoat.activities.ShareTargetActivity component, which is accessible to any process on the device via the android.intent.action.SEND intent. The activity accepts a file to share through the android.intent.extra.STREAM extra but fails to validate or filter the incoming URI. This allows a caller to provide a file:// URI pointing to the application's internal storage, such as databases, cached authentication tokens, or preferences. An attacker with the ability to invoke intents on the device can trigger this activity to make the user send internal application files to a chosen channel or user. Because the composer labels the attachment simply as "attachment" without a filename, the user is unaware that internal data is being transmitted. This can lead to the disclosure of message history, contact lists, and authentication tokens, potentially resulting in full account takeover.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-57848

Affected Products

Stoat For Android