CVE-2026-12189

MEDIUM 5.3

Moovit Bus & Public Transit App com.tranzmate improper authorization in handler for custom url scheme

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android. This affects an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in handler for custom url scheme. The attack can only be executed locally. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE	CWE-939 CWE-285
Vendor	moovit
Product	bus & public transit app
Published	Jun 14, 2026

Stay Ahead of the Next One

Get instant alerts for moovit bus & public transit app

Be the first to know when new medium vulnerabilities affecting moovit bus & public transit app are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Moovit / Bus & Public Transit App

1.18

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/370835 vuldb.com: https://vuldb.com/vuln/370835/cti vuldb.com: https://vuldb.com/cve/CVE-2026-12189 vuldb.com: https://vuldb.com/submit/824449 github.com: https://github.com/honestcorrupt/MOOVIT-CVE-.git drive.google.com: https://drive.google.com/file/d/1lKtJX8mhbGTiMarv2H3psd9iombJ-dIn/view?usp=sharing

Credits

🔍 honest_corrupt (VulDB User) VulDB CNA Team