CVE-2026-9222

HIGH 8.1

Setracker2 Children's Smartwatch Ecosystem Use of password hash instead of password for authentication

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow an attacker, who knows the hash, to authenticate and gain full access.

CWE	CWE-836
Vendor	shenzhen i365-tech co. ltd.
Product	setracker2 parental control app (android) package com.tgelec.setracker
Published	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for shenzhen i365-tech co. ltd. setracker2 parental control app (android) package com.tgelec.setracker

Be the first to know when new high vulnerabilities affecting shenzhen i365-tech co. ltd. setracker2 parental control app (android) package com.tgelec.setracker are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Shenzhen i365-Tech Co. Ltd. / Setracker2 Parental Control App (Android) package com.tgelec.setracker

0 ≤ 3.1.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json

Credits

Huancheng Hu of Hasso Plattner Institute reported these vulnerabilities to CISA, with support from Prof. Christian Doerr.