CVE-2026-4754 identifies a Cross-Site Scripting (XSS) vulnerability classified under CWE-79 in the MolotovCherry Android-ImageMagick7 library, affecting versions before 7.1.2-11. XSS vulnerabilities occur when an application includes untrusted data in a web page without proper validation or escaping, enabling attackers to inject malicious scripts that execute in the context of the victim's browser. This particular vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L), does not require privileges (PR:N), but requires user interaction (UI:R), such as clicking a malicious link or opening crafted content. The vulnerability has a scope change (S:C), meaning it can affect components beyond the initially vulnerable module. The impact affects confidentiality and integrity (C:L/I:L) but does not affect availability (A:N). Android-ImageMagick7 is an image processing library used in Android applications for handling image manipulation tasks. Exploitation could allow attackers to steal sensitive information, hijack user sessions, or perform unauthorized actions within the context of the affected application. Although no known exploits are reported in the wild, the presence of this vulnerability necessitates proactive remediation. The lack of available patches at the time of reporting highlights the importance of interim mitigations such as input sanitization and output encoding. The vulnerability was published on March 24, 2026, by GovTech CSG, indicating a recognized security concern in the Android ecosystem related to image processing libraries.

The impact of CVE-2026-4754 is primarily on the confidentiality and integrity of data processed by Android applications using the vulnerable Android-ImageMagick7 library. Successful exploitation could lead to the execution of arbitrary scripts in the context of the victim user, enabling theft of sensitive information such as authentication tokens, personal data, or session cookies. This could facilitate further attacks like account takeover or unauthorized actions within the app. Since availability is not affected, the service or application remains operational, but the trustworthiness of the data and user interactions is compromised. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in scenarios where users are tricked into opening malicious content. Organizations relying on Android applications that embed this library may face reputational damage, data breaches, and regulatory consequences if exploited. The widespread use of Android devices globally amplifies the potential scale of impact, particularly in sectors like finance, healthcare, and government where sensitive data is handled.

1. Apply patches or updates from MolotovCherry to upgrade Android-ImageMagick7 to version 7.1.2-11 or later as soon as they become available. 2. Implement strict input validation on all data entering the application, especially any data that will be processed or rendered by the image library, to filter out malicious scripts or code. 3. Employ robust output encoding and sanitization techniques to neutralize potentially harmful content before rendering it in any user interface or web context. 4. Use Content Security Policy (CSP) headers in applications to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 5. Educate users about the risks of interacting with untrusted links or content to reduce the likelihood of user-driven exploitation. 6. Monitor application logs and network traffic for unusual activity that may indicate attempted exploitation. 7. Conduct regular security assessments and code reviews focusing on input handling and third-party library usage. 8. Consider implementing runtime application self-protection (RASP) mechanisms to detect and block XSS attacks dynamically.