VYPR

CWE-939

Improper Authorization in Handler for Custom URL Scheme

BaseIncomplete

Description

The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.

Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do inter-application communication. The implementation is at the developer's discretion which may open security flaws in the application. An example could be potentially dangerous functionality such as modifying files through a custom URL scheme.

Hierarchy (View 1000)

Children

none

CVEs mapped to this weakness (13)

  • CVE-2026-6445HigJun 9, 2026
    risk 0.57cvss epss 0.00

    A flaw exists in FlashArray Purity where insufficient filtering of certain data paths could expose sensitive information to an authenticated user with low privileges.

  • CVE-2026-53408HigJun 12, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.

  • CVE-2026-53407HigJun 12, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.

  • CVE-2026-35394HigApr 6, 2026
    risk 0.47cvss 8.3epss 0.00

    Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including…

  • CVE-2026-3471MedMay 18, 2026
    risk 0.42cvss 6.5epss 0.00

    Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}.…

  • CVE-2026-12190MedJun 14, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android. This vulnerability affects unknown code of the component ai.mainfunc.genspark. The manipulation leads to improper authorization in handler for custom url scheme. The attack can only be performed from a…

  • CVE-2026-12189MedJun 14, 2026
    risk 0.34cvss 5.3epss 0.00

    A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android. This affects an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in handler for custom url scheme. The attack can only be executed locally. The…

  • CVE-2025-41408MedSep 5, 2025
    risk 0.28cvss 4.3epss 0.00

    Improper authorization in handler for custom URL scheme issue in "Yahoo! Shopping" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim…

  • CVE-2025-5020MedMay 21, 2025
    risk 0.28cvss 4.3epss 0.00

    Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client. This vulnerability was fixed in Firefox for iOS 139.

  • CVE-2024-35298MedJun 19, 2024
    risk 0.28cvss 4.3epss 0.00

    Improper authorization in handler for custom URL scheme issue in 'ZOZOTOWN' App for Android versions prior to 7.39.6 allows an attacker to lead a user to access an arbitrary website via another application installed on the user's device. As a result, the user may become a victim…

  • CVE-2024-54014LowDec 5, 2024
    risk 0.23cvss 3.6epss 0.00

    Improper authorization in handler for custom URL scheme issue in 'Skylark' App for Android 6.2.13 and earlier and 'Skylark' App for iOS 6.2.13 and earlier allows an attacker to lead the application to access an arbitrary web site via another application installed on the user's…

  • CVE-2024-54125LowDec 17, 2024
    risk 0.21cvss 3.3epss 0.00

    Improper authorization in handler for custom URL scheme issue in "Shonen Jump+" App for Android versions prior to 4.0.0 allows an attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.

  • CVE-2026-12065LowJun 12, 2026
    risk 0.12cvss 1.8epss 0.00

    A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the…