CVE-2026-26208
Published: 13 February 2026
Summary
CVE-2026-26208 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked in the top 22.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
ADB Explorer, a fluent UI for ADB on Windows, is affected by an insecure deserialization vulnerability (CWE-502) in versions prior to Beta 0.9.26020. The application deserializes its App.txt settings file using Newtonsoft.Json with TypeNameHandling set to Objects, which permits gadget chains such as ObjectDataProvider to be processed during launch and settings save operations. The issue carries a CVSS 3.1 score of 7.8 reflecting local attack vector, low complexity, and no required privileges.
An attacker with the ability to place a crafted JSON file in the expected settings location can achieve remote code execution when the application starts. The attack requires user interaction to open the application but needs no authentication, allowing arbitrary code to run in the context of the ADB Explorer process on Windows systems.
The referenced GitHub security advisory, commit, and release notes state that the flaw is resolved in Beta 0.9.26020. The EPSS score remains flat at 0.0104 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5933
Vulnerability details
ADB Explorer is a fluent UI for ADB on Windows. Prior to Beta 0.9.26020, ADB Explorer is vulnerable to Insecure Deserialization leading to Remote Code Execution. The application attempts to deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set…
more
to Objects. This allows an attacker to supply a crafted JSON file containing a gadget chain (e.g., ObjectDataProvider) to execute arbitrary code when the application launches and subsequently saves its settings. This vulnerability is fixed in Beta 0.9.26020.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure deserialization of the local App.txt settings file (via Newtonsoft.Json TypeNameHandling) directly enables arbitrary code execution when a user launches the legitimate ADB Explorer application, mapping to user execution via a malicious file placed by an attacker.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of software flaws like insecure deserialization in ADB Explorer to prevent RCE exploitation.
Enforces validation of information inputs such as the App.txt JSON file to reject malicious gadget chains during deserialization.
Mandates secure configuration settings for system components, including disabling unsafe deserialization options like TypeNameHandling.Objects in Newtonsoft.Json.