CVE-2026-24490
Published: 27 January 2026
Summary
CVE-2026-24490 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Opensecurity Mobile Security Framework. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents stored XSS by requiring filtering of user-controlled android:host data from APK manifests prior to rendering in HTML reports.
Ensures timely remediation of the known flaw through patching to MobSF version 4.4.5 or later, which implements proper sanitization.
Validates inputs from uploaded APK manifests, such as restricting android:host to valid hostnames to block malicious payloads before storage and report generation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in generated reports directly enables browser session hijacking (T1185) and theft of web session cookies (T1539), leading to account takeover as described.
NVD Description
MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by…
more
uploading a malicious APK. The `android:host` attribute from `<data android:scheme="android_secret_code">` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover. Version 4.4.5 fixes the issue.
Deeper analysisAI
CVE-2026-24490 is a Stored Cross-site Scripting (XSS) vulnerability in the Mobile Security Framework (MobSF), an open-source mobile application security testing tool. Versions prior to 4.4.5 are affected, specifically in the Android manifest analysis component. The flaw occurs because the `android:host` attribute from `<data android:scheme="android_secret_code">` elements in uploaded APK files is rendered in generated HTML reports without sanitization, allowing injected JavaScript to execute. The vulnerability is classified under CWE-79 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N).
An attacker requires high privileges (PR:H) within a MobSF instance to upload a malicious APK containing a crafted `android:host` value. Exploitation occurs when a victim with access to the platform views the resulting HTML report, triggering user interaction (UI:R) that executes arbitrary JavaScript in the victim's browser session context over the network (AV:N). Successful exploitation enables session hijacking and account takeover, with high impacts on confidentiality and integrity due to the changed scope (S:C).
MobSF version 4.4.5 resolves the issue through proper sanitization. Administrators and practitioners should upgrade to this version or later to mitigate the vulnerability. Official resources include the fixing commit at https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/2b08dd050e7685ee2a14fdbb454affab94129eae, the release announcement at https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.5, and the GitHub security advisory at https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8hf7-h89p-3pqj.
Details
- CWE(s)