CVE-2026-9221

HIGH 7.5

Setracker2 Children's Smartwatch Ecosystem Use of a Broken or Risky Cryptographic Algorithm

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID. With the session ID exposed, an attacker could impersonate the legitimate user and issue authenticated API requests.

CWE	CWE-327
Vendor	shenzhen i365-tech co. ltd.
Product	setracker2 parental control app (android) package com.tgelec.setracker
Published	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for shenzhen i365-tech co. ltd. setracker2 parental control app (android) package com.tgelec.setracker

Be the first to know when new high vulnerabilities affecting shenzhen i365-tech co. ltd. setracker2 parental control app (android) package com.tgelec.setracker are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Shenzhen i365-Tech Co. Ltd. / Setracker2 Parental Control App (Android) package com.tgelec.setracker

0 ≤ 3.1.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json

Credits

Huancheng Hu of Hasso Plattner Institute reported these vulnerabilities to CISA, with support from Prof. Christian Doerr.