Internal File Exposure Vulnerability in Stoat for Android
CVE-2026-57848

6.8MEDIUM

Key Information:

Vendor

Stoatchat

Vendor
CVE Published:
18 July 2026

What is CVE-2026-57848?

Stoat for Android contains a vulnerability where its ShareTargetActivity component improperly exposes internal files due to a lack of URI validation. This flaw enables attackers to invoke intents that can send sensitive data from the application's internal storage to unintended recipients. Specifically, attackers can craft an intent with a malicious URI pointing to critical files like authentication tokens, cached data, or private databases, allowing them to discreetly forward the user's internal data via the app's sharing functionality without the user's knowledge. The absence of filename information in the shared attachment further obscures the nature of the data being transmitted, which could lead to unauthorized access to sensitive information, including user message histories and contact lists.

Affected Version(s)

Stoat for Android 0

References

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Monokle
.