MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field
A Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The android:host attribute from <data android:scheme="android_secret_code"> elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover.
https://github.com/advisories/GHSA-8hf7-h89p-3pqj
⚠️ WARNING: LEGAL DISCLAIMER
This tool is intended for educational purposes only. The author is not responsible for any illegal use of this tool. Users aresolely responsible for their actions.
#kalilinux #kalilinuxtools #informationsecurity #ethicalhacker #pentesting #Ubuntu...
17.02.2026 / 00:56
A Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The android:host attribute from <data android:scheme="android_secret_code"> elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover.
https://github.com/advisories/GHSA-8hf7-h89p-3pqj
⚠️ WARNING: LEGAL DISCLAIMER
This tool is intended for educational purposes only. The author is not responsible for any illegal use of this tool. Users aresolely responsible for their actions.
#kalilinux #kalilinuxtools #informationsecurity #ethicalhacker #pentesting #Ubuntu...