CVE-2026-47782

Vulnerability

The Android App "RoboForm Password Manager" (versions 9.8.6.3 and prior [3]) handles Android intents from other applications to open URLs (e.g., login pages) without sufficient validation, user confirmation, or notification. This CWE-357 flaw allows a malicious app to supply a URL to a web page that triggers a file download, which RoboForm then performs silently [3].

Exploitation

An attacker must first convince a victim to install a malicious Android application on the same device. The malicious app then sends an intent to RoboForm containing a URL to a malicious web page. When RoboForm processes this intent, it downloads files from that page without any user confirmation or notification. No further user interaction is required beyond the initial installation of the malicious app [3].

Impact

A successful attack allows an attacker to silently download arbitrary files (e.g., malware) to the victim's device via RoboForm. The impact is limited to integrity (unauthorized file write), with no effect on confidentiality or availability. The CVSS v3 base score is 3.3 (Low) [3].

Mitigation

The vulnerability is fixed in RoboForm for Android version 9.9.5, released on 2026-05-20 [1]. Users should update the app to the latest version via the Google Play Store. No workarounds are available for older versions [3].