CVE-2026-24490 Overview
MobSF (Mobile Security Framework) is a widely used mobile application security testing tool for Android, iOS, and Windows mobile applications. A Stored Cross-Site Scripting (XSS) vulnerability exists in MobSF's Android manifest analysis functionality prior to version 4.4.5. This vulnerability allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser session by uploading a malicious APK file. The android:host attribute from <data android:scheme="android_secret_code"> elements is rendered in HTML reports without proper sanitization, creating an attack vector for session hijacking and account takeover.
Critical Impact
Attackers can achieve session hijacking and account takeover by uploading malicious APK files that inject JavaScript into MobSF analysis reports.
Affected Products
- MobSF (Mobile Security Framework) versions prior to 4.4.5
- MobSF Android manifest analysis component
- MobSF HTML report generation module
Discovery Timeline
- 2026-01-27 - CVE CVE-2026-24490 published to NVD
- 2026-01-27 - Last updated in NVD database
Technical Details for CVE-2026-24490
Vulnerability Analysis
This Stored Cross-Site Scripting (XSS) vulnerability (CWE-79) resides in MobSF's Android manifest parsing and report generation functionality. When MobSF analyzes an Android APK file, it extracts and processes various manifest attributes including the android:host attribute from <data> elements within intent filters. The vulnerability occurs because the extracted android:host value from <data android:scheme="android_secret_code"> elements is directly inserted into HTML reports without undergoing proper output encoding or sanitization.
An attacker can craft a malicious APK with a specially constructed android:host attribute containing JavaScript payloads. When a security analyst uploads and analyzes this APK, the malicious script executes within their authenticated browser session. This network-accessible attack requires high privileges (the ability to submit APKs for analysis) but impacts any user who views the generated report, creating a changed scope scenario.
Root Cause
The root cause of this vulnerability is insufficient output encoding in MobSF's HTML report template rendering. When manifest data is extracted from APK files, the android:host attribute values are treated as trusted data and embedded directly into HTML output without sanitization. The application fails to apply proper HTML entity encoding or Content Security Policy controls that would prevent script execution from user-controlled input.
Attack Vector
The attack is executed over the network through MobSF's file upload interface. An attacker uploads a malicious APK containing crafted manifest data with XSS payloads embedded in the android:host attribute. When the APK is analyzed and a report is generated, the malicious JavaScript payload persists in the stored report. Any authenticated user who subsequently views the analysis report will have the malicious script executed in their browser context, potentially leading to session token theft, credential harvesting, or unauthorized actions performed on behalf of the victim.
The attack flow involves:
- Attacker crafts an APK with malicious JavaScript in the android:host manifest attribute
- Attacker uploads the APK to MobSF for analysis
- MobSF generates an HTML report containing the unsanitized payload
- Victim views the analysis report
- Malicious JavaScript executes in victim's authenticated session
Detection Methods for CVE-2026-24490
Indicators of Compromise
- Unusual APK uploads containing JavaScript-like patterns in manifest XML attributes
- Analysis reports with unexpected <script> tags or JavaScript event handlers in manifest attribute sections
- Session cookies or authentication tokens being exfiltrated to external domains
- Suspicious network requests originating from MobSF report pages to unknown endpoints
Detection Strategies
- Monitor APK uploads for manifest files containing HTML/JavaScript syntax in attribute values
- Implement Content Security Policy logging to detect inline script execution attempts
- Review MobSF access logs for unusual patterns of report access following APK uploads
- Deploy web application firewalls configured to detect XSS payload patterns in file uploads
Monitoring Recommendations
- Enable verbose logging on MobSF instances to track file uploads and report generation
- Configure browser-based monitoring solutions to detect DOM manipulation attempts
- Implement alerting for outbound network connections from report viewing sessions
- Regularly audit generated HTML reports for unexpected script content
How to Mitigate CVE-2026-24490
Immediate Actions Required
- Upgrade MobSF to version 4.4.5 or later immediately
- Review historical analysis reports for signs of XSS injection
- Invalidate active sessions for users who may have accessed compromised reports
- Implement network-level restrictions on MobSF instances until patching is complete
Patch Information
The vulnerability has been addressed in MobSF version 4.4.5. The fix implements proper output encoding for manifest attribute values when rendering HTML reports. Users should update to this version or later to remediate the vulnerability.
For detailed information about the fix, refer to:
Workarounds
- Restrict access to MobSF instances to trusted users only until patching is complete
- Implement strict Content Security Policy headers on MobSF web interface to prevent inline script execution
- Use a reverse proxy with XSS filtering capabilities in front of MobSF
- Disable or restrict the Android manifest analysis feature if not critical to operations
# Example: Add Content Security Policy header via nginx reverse proxy
# Add to nginx server configuration for MobSF
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
