CVE-2026-24490 is a Stored Cross-site Scripting (XSS) vulnerability identified in the Mobile-Security-Framework-MobSF, a widely used mobile application security testing tool. The vulnerability exists in versions prior to 4.4.5 and specifically affects the Android manifest analysis feature. MobSF generates HTML reports that include data extracted from APK files, including the android:host attribute within <data android:scheme="android_secret_code"> elements. Due to improper neutralization of this input, maliciously crafted APKs can embed JavaScript code within the android:host attribute, which is then rendered unsanitized in the HTML report. When a victim views this report in a browser, the embedded script executes in the context of the user's session, enabling attackers to hijack sessions or perform account takeover attacks. The vulnerability requires an attacker to have authenticated access to upload a malicious APK and for the victim to interact with the generated report. The CVSS 3.1 score of 8.1 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N) indicates network attack vector, low attack complexity, high privileges required, user interaction needed, and a scope change with high confidentiality and integrity impacts but no availability impact. No known exploits are reported in the wild yet. The vendor fixed the issue in MobSF version 4.4.5 by implementing proper input sanitization and neutralization to prevent script injection in reports.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of user sessions within MobSF environments. Organizations that rely on MobSF for mobile app security testing, particularly those handling sensitive or regulated mobile applications, may face session hijacking or account takeover if malicious APKs are uploaded and reports viewed by authorized personnel. This could lead to unauthorized access to sensitive security testing data, manipulation of testing results, or further lateral movement within the network. The requirement for authenticated upload and user interaction limits the attack surface but does not eliminate risk, especially in environments with multiple users or less stringent access controls. The vulnerability could undermine trust in security testing processes and potentially expose intellectual property or compliance-related information. Given the growing importance of mobile security in sectors such as finance, healthcare, and government across Europe, the impact could be material if exploited.

1. Upgrade MobSF to version 4.4.5 or later immediately to ensure the vulnerability is patched. 2. Restrict APK upload permissions strictly to trusted and trained personnel to reduce the risk of malicious uploads. 3. Implement additional input validation and sanitization in any custom report generation or processing workflows involving MobSF outputs. 4. Monitor and audit upload activities and report access logs to detect any anomalous behavior indicative of exploitation attempts. 5. Educate users about the risks of interacting with untrusted reports and enforce policies to verify report sources before viewing. 6. Consider isolating MobSF instances in segmented network zones with limited access to reduce potential lateral movement in case of compromise. 7. Regularly review and update security testing tools and processes to incorporate vendor patches and security best practices.