Stored XSS Vulnerability in MobSF Mobile Application Security Testing Tool

CVE-2026-24490

What is CVE-2026-24490?

CVE-2026-24490 is a stored Cross-site Scripting (XSS) vulnerability identified in the MobSF Mobile Application Security Testing Tool, a widely utilized open-source framework designed for assessing the security of mobile applications. This flaw exists in versions prior to 4.4.5, where the application's handling of certain data in the Android manifest analysis is compromised. Specifically, an attacker can exploit this vulnerability by uploading a malicious Android Package Kit (APK) file, causing the tool to execute arbitrary JavaScript within the browser session of users accessing the tool's generated reports. The vulnerability arises because the application fails to adequately sanitize the android:host attribute in specific HTML elements, allowing for potential session hijacking and account takeover. Organizations using MobSF are at risk of significant security breaches due to this vulnerability.

Potential impact of CVE-2026-24490

1. Session Hijacking: Attackers can exploit the XSS vulnerability to hijack sessions of users who interact with the compromised reports, potentially gaining unauthorized access to sensitive information or actions performed within the application.

2. Account Takeover: With the ability to execute arbitrary JavaScript, an attacker may gain control over user accounts, leading to unauthorized actions, data manipulation, and further exploitation of the application or its users.

3. Trust and Reputation Damage: The exploitation of this vulnerability can lead to a loss of trust among users and clients, as successful attacks may result in data breaches or unauthorized actions that damage the organization's reputation in the market.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References