DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24490: MobSF Stored XSS: When the Scanner Becomes the Target

#security #cve #cybersecurity

MobSF Stored XSS: When the Scanner Becomes the Target

Vulnerability ID: CVE-2026-24490
CVSS Score: 8.1
Published: 2026-01-26

A critical Stored Cross-Site Scripting (XSS) vulnerability in Mobile Security Framework (MobSF) allows attackers to inject malicious JavaScript via crafted Android Manifest files. This turns the security analyst's dashboard into a weapon against them.

TL;DR

MobSF trusted the contents of AndroidManifest.xml a little too much. By crafting a malicious APK with a specific 'dialer code' intent, an attacker can inject JavaScript into the static analysis report. When a researcher opens the report, the script executes, potentially stealing sessions or compromising the host.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network (Stored via File Upload)
  • CVSS Score: 8.1 (High)
  • Impact: Session Hijacking, RCE via Browser
  • Exploit Status: Proof of Concept Available
  • Fix Version: 4.4.5

Affected Systems

  • Mobile Security Framework (MobSF) < 4.4.5
  • Mobile Security Framework (MobSF): < 4.4.5 (Fixed in: 4.4.5)

Code Analysis

Commit: 2b08dd0

Fix Stored XSS in Manifest Analysis by escaping attributes and removing safe filter

@@ -14,7 +14,7 @@
-    {{item|key:"title" | safe}}
+    {{item|key:"title"}}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Input Sanitization: Always treat parsed file metadata (XML, JSON, binary headers) as untrusted user input.
  • Context-Aware Output Encoding: Rely on the template engine's auto-escaping features. Avoid disabling them.
  • Content Security Policy (CSP): Implement strict CSP headers to prevent inline script execution and unauthorized outbound connections.

Remediation Steps:

  1. Upgrade Mobile Security Framework (MobSF) to version 4.4.5 or later immediately.
  2. If upgrading is not possible, manually apply the patch from commit 2b08dd050e7685ee2a14fdbb454affab94129eae.
  3. Audit existing users and active sessions on shared MobSF instances to ensure no accounts have been compromised.

References

Read the full report for CVE-2026-24490 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)