๐Ÿ” CVE Alert

CVE-2026-57848

MEDIUM 5.5

Stoat for Android Internal File Disclosure via Exported ShareTargetActivity URI Validation

CVSS Score
5.5
EPSS Score
0.0%
EPSS Percentile
0th

Stoat for Android exports the chat.stoat.activities.ShareTargetActivity component (reachable to any process on the device via the android.intent.action.SEND intent) and accepts the file to share as a URI supplied through the android.intent.extra.STREAM extra. The activity does not validate or filter the incoming URI before using it as the outgoing attachment, so a caller can pass a file:// URI pointing at the application's own internal storage (for example /data/data/chat.revolt/databases/revolt.db, cached authentication token files, or preferences) and have the app treat that internal file as a user-selected attachment. An attacker who can invoke intents on the victim's device (via ADB access, a co-installed malicious application, or any other route that reaches Android's intent dispatch) can launch ShareTargetActivity with such a URI and cause the victim, on a single channel-selection interaction, to send the internal file to any Stoat channel or user of the attacker's choosing. The composer displays the attachment as \"attachment\" with no filename indication, so the victim has no visible signal that the file being sent is their own internal application data. Consequences include disclosure of the local Stoat database (message history, contact list, cached content), disclosure of authentication tokens permitting full account takeover, and disclosure of any other file readable by the app process.

CWE CWE-926
Vendor stoatchat
Product stoat for android
Published Jul 18, 2026
Stay Ahead of the Next One

Get instant alerts for stoatchat stoat for android

Be the first to know when new medium vulnerabilities affecting stoatchat stoat for android are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

stoatchat / Stoat for Android
0 < 1.6.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/stoatchat/for-android github.com: https://github.com/stoatchat/for-android/commit/50d5f5143940809ebb5a61e5f507c956c33aa970 vulncheck.com: https://www.vulncheck.com/advisories/stoat-for-android-internal-file-disclosure-via-exported-sharetargetactivity-uri-validation

Credits

๐Ÿ” Monokle