VYPR
← All advisories
Medium severity5.3NVD Advisory· Published Jun 14, 2026

CVE-2026-12189

CVE-2026-12189

Description

Moovit Bus & Public Transit App 1.18 for Android has an exported WebView activity that allows arbitrary URL injection, enabling phishing and UI spoofing attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Moovit Bus & Public Transit App 1.18 for Android has an exported WebView activity that allows arbitrary URL injection, enabling phishing and UI spoofing attacks.

Vulnerability

The Moovit Bus & Public Transit App version 1.18 for Android contains an exported and browsable WebViewActivity (com.moovit.web.WebViewActivity) that accepts externally supplied URLs via intents without proper validation or domain restriction [1]. This improper authorization in the handler for the custom URL scheme allows loading arbitrary web content inside the application's trusted interface. The activity is configured with an intent filter for android.intent.action.VIEW, android.intent.category.DEFAULT, and android.intent.category.BROWSABLE, making it accessible from other applications or through malicious deep links [1].

Exploitation

An attacker with local access to the device can invoke the vulnerable activity via the Android Debug Bridge (adb) using a command such as: `` adb shell am start -n com.tranzmate/com.moovit.web.WebViewActivity --es url "https://evil.com" ``

This launches the WebView and loads the attacker-controlled URL inside the legitimate app context [1]. Local access is required; the attack cannot be triggered remotely. The exploit has been published and may be used [1].

Impact

Successful exploitation allows an attacker to display arbitrary web content within the Moovit application interface [1]. This can lead to phishing attacks, UI spoofing, and social engineering, potentially resulting in credential theft, disclosure of personal information, and erosion of user trust. The attacker gains no elevated privileges on the device but can abuse the trusted application context to deceive users.

Mitigation

The vendor was contacted but did not respond to the disclosure [1]. As of the publication date (2026-06-14), no official fix or patch has been released. Users are advised to avoid opening suspicious links or deep links that may trigger the vulnerable activity. Until a patch is provided, the application remains exposed to this local exploitation vector.

References
  1. GitHub - honestcorrupt/-CVE-requested-moovit-android-webview-vulnerability-research: Title Moovit Android Application Contains Exported Browsable WebView Activity Allowing Arbitrary URL Injection and Phishing Attacks

AI Insight generated on Jun 14, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing validation and domain restriction in an exported browsable WebViewActivity allows arbitrary URL injection."

Attack vector

A local attacker (or malicious app on the same device) crafts an Android intent or deep link targeting the exported `com.moovit.web.WebViewActivity` with an arbitrary URL, e.g., `adb shell am start -n com.tranzmate/com.moovit.web.WebViewActivity --es url "https://evil.com"` [ref_id=1]. Because the activity lacks domain allowlisting and URL validation, the attacker-controlled web content renders inside the trusted Moovit interface, enabling phishing, UI spoofing, and social engineering attacks [CWE-939, CWE-601].

Affected code

The vulnerable component is `com.moovit.web.WebViewActivity` in the Moovit Bus & Public Transit App 1.18 on Android. The activity is exported and browsable via an intent-filter that accepts `android.intent.action.VIEW` with the `BROWSABLE` category, allowing externally supplied URLs to be loaded inside the application's WebView without sufficient validation or domain restriction [ref_id=1].

What the fix does

The advisory recommends disabling unnecessary exported activities, implementing strict domain allowlisting, validating externally supplied URLs, restricting dangerous URL schemes, and opening untrusted content in external browsers [ref_id=1]. No patch has been published because the vendor did not respond to the disclosure.

Preconditions

  • networkAttacker must be able to execute Android intents or deep links on the local device (e.g., via a malicious app or ADB).
  • configThe exported WebViewActivity must be present and browsable (the intent-filter shown in the advisory).
  • inputUser interaction is required (the victim must open the malicious link or the malicious app must trigger the intent).

Generated on Jun 14, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.