Cyber Resilience

CVE-2026-26208

High

Published: 13 February 2026

Published
13 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0104 77.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26208 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked in the top 22.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

ADB Explorer, a fluent UI for ADB on Windows, is affected by an insecure deserialization vulnerability (CWE-502) in versions prior to Beta 0.9.26020. The application deserializes its App.txt settings file using Newtonsoft.Json with TypeNameHandling set to Objects, which permits gadget chains such as ObjectDataProvider to be processed during launch and settings save operations. The issue carries a CVSS 3.1 score of 7.8 reflecting local attack vector, low complexity, and no required privileges.

An attacker with the ability to place a crafted JSON file in the expected settings location can achieve remote code execution when the application starts. The attack requires user interaction to open the application but needs no authentication, allowing arbitrary code to run in the context of the ADB Explorer process on Windows systems.

The referenced GitHub security advisory, commit, and release notes state that the flaw is resolved in Beta 0.9.26020. The EPSS score remains flat at 0.0104 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

ADB Explorer is a fluent UI for ADB on Windows. Prior to Beta 0.9.26020, ADB Explorer is vulnerable to Insecure Deserialization leading to Remote Code Execution. The application attempts to deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set…

more

to Objects. This allows an attacker to supply a crafted JSON file containing a gadget chain (e.g., ObjectDataProvider) to execute arbitrary code when the application launches and subsequently saves its settings. This vulnerability is fixed in Beta 0.9.26020.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Insecure deserialization of the local App.txt settings file (via Newtonsoft.Json TypeNameHandling) directly enables arbitrary code execution when a user launches the legitimate ADB Explorer application, mapping to user execution via a malicious file placed by an attacker.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21364Shared CWE-502
CVE-2025-60037Shared CWE-502
CVE-2026-27776Shared CWE-502
CVE-2024-12703Shared CWE-502
CVE-2026-24151Shared CWE-502
CVE-2025-33253Shared CWE-502
CVE-2026-24165Shared CWE-502
CVE-2026-31218Shared CWE-502
CVE-2026-31219Shared CWE-502
CVE-2026-24150Shared CWE-502

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of software flaws like insecure deserialization in ADB Explorer to prevent RCE exploitation.

prevent

Enforces validation of information inputs such as the App.txt JSON file to reject malicious gadget chains during deserialization.

prevent

Mandates secure configuration settings for system components, including disabling unsafe deserialization options like TypeNameHandling.Objects in Newtonsoft.Json.

References