Internal File Exposure Vulnerability in Stoat for Android
CVE-2026-57848
What is CVE-2026-57848?
Stoat for Android contains a vulnerability where its ShareTargetActivity component improperly exposes internal files due to a lack of URI validation. This flaw enables attackers to invoke intents that can send sensitive data from the application's internal storage to unintended recipients. Specifically, attackers can craft an intent with a malicious URI pointing to critical files like authentication tokens, cached data, or private databases, allowing them to discreetly forward the user's internal data via the app's sharing functionality without the user's knowledge. The absence of filename information in the shared attachment further obscures the nature of the data being transmitted, which could lead to unauthorized access to sensitive information, including user message histories and contact lists.
Affected Version(s)
Stoat for Android 0
