CVE-2026-24490 is a stored Cross-site Scripting (XSS) vulnerability identified in the Mobile-Security-Framework-MobSF, a widely used tool for mobile application security testing. The vulnerability exists in versions prior to 4.4.5 and specifically affects the Android manifest analysis component. When MobSF processes an APK file, it extracts and renders certain manifest attributes into HTML reports. The flaw lies in the improper neutralization of the android:host attribute within <data android:scheme="android_secret_code"> elements. This attribute is embedded directly into the HTML report without adequate sanitization or encoding, allowing an attacker to inject arbitrary JavaScript code. An adversary can exploit this by uploading a maliciously crafted APK containing a payload in the android:host attribute. When a legitimate user views the generated report in their browser, the malicious script executes in the context of their session. This can lead to session hijacking, account takeover, or other malicious actions leveraging the victim’s browser privileges. The vulnerability requires that the attacker has the ability to upload APKs to the MobSF instance and that the victim views the resulting report, implying some level of user interaction and authenticated access. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality and integrity, with network attack vector, low attack complexity, high privileges required, and user interaction needed. The issue was addressed in MobSF version 4.4.5 by properly sanitizing the android:host attribute before rendering it in reports, thus preventing script injection. No known exploits in the wild have been reported to date. This vulnerability highlights the risks of insufficient input validation in security tools themselves, which can undermine trust and security of the testing environment.

For European organizations, this vulnerability poses a significant risk particularly to those relying on MobSF for mobile application security assessments. Exploitation can lead to session hijacking and account takeover of users accessing the MobSF reports, potentially exposing sensitive security analysis data, internal project information, or credentials. This could facilitate further attacks on the organization’s mobile applications or infrastructure. Since MobSF is often used by security teams and developers, compromise of these reports undermines the integrity of the security testing process and may lead to disclosure of vulnerabilities before remediation. The attack requires authenticated access and user interaction, limiting exposure to internal or trusted users, but insider threats or compromised accounts could be leveraged. Additionally, the vulnerability could be used to pivot attacks within an organization’s security environment. The impact on confidentiality and integrity is high, while availability is not affected. Organizations in Europe with active mobile development, security research, or penetration testing teams using vulnerable MobSF versions are at risk of operational disruption and data leakage.

1. Immediately upgrade MobSF instances to version 4.4.5 or later where the vulnerability is patched. 2. Restrict upload permissions to trusted users only, minimizing the risk of malicious APK uploads. 3. Limit access to MobSF reports to authenticated and authorized personnel, ideally within secure network segments. 4. Implement web application firewalls (WAF) or content security policies (CSP) to detect or block suspicious script execution in report interfaces. 5. Conduct regular audits of MobSF usage and logs to detect anomalous uploads or report access patterns. 6. Educate security and development teams on the risks of using outdated security tools and the importance of timely patching. 7. Consider isolating MobSF instances in sandboxed environments to contain potential exploitation. 8. Monitor vulnerability advisories for any emerging exploits and apply additional mitigations as needed.