← Back
2026-02-13 18:48CVE-2026-26208GitHub_M
PUBLISHED5.2CWE-502

ADB Explorer Vulnerable to Remote Code Execution via Insecure Deserialization

ADB Explorer is a fluent UI for ADB on Windows. Prior to Beta 0.9.26020, ADB Explorer is vulnerable to Insecure Deserialization leading to Remote Code Execution. The application attempts to deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set to Objects. This allows an attacker to supply a crafted JSON file containing a gadget chain (e.g., ObjectDataProvider) to execute arbitrary code when the application launches and subsequently saves its settings. This vulnerability is fixed in Beta 0.9.26020.

Problem type

Affected products

Alex4SSB

ADB-Explorer

< Beta 0.9.26020 - AFFECTED

References

https://github.com/Alex4SSB/ADB-Explorer/security/advisories/GHSA-49qx-wpxj-p4mh

https://github.com/Alex4SSB/ADB-Explorer/security/advisories/GHSA-49qx-wpxj-p4mh

x_refsource_CONFIRM
https://github.com/Alex4SSB/ADB-Explorer/issues/294

https://github.com/Alex4SSB/ADB-Explorer/issues/294

x_refsource_MISC
https://github.com/Alex4SSB/ADB-Explorer/commit/776f132cede86e1405520f2a28c78276dda5ab5a

https://github.com/Alex4SSB/ADB-Explorer/commit/776f132cede86e1405520f2a28c78276dda5ab5a

x_refsource_MISC
https://github.com/Alex4SSB/ADB-Explorer/releases/tag/v0.9.26020

https://github.com/Alex4SSB/ADB-Explorer/releases/tag/v0.9.26020

x_refsource_MISC

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-26208
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-26208",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-02-13T19:21:56.476Z",
    "dateReserved": "2026-02-11T19:56:24.814Z",
    "datePublished": "2026-02-13T18:48:56.398Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-02-13T18:48:56.398Z"
      },
      "title": "ADB Explorer Vulnerable to Remote Code Execution via Insecure Deserialization",
      "descriptions": [
        {
          "lang": "en",
          "value": "ADB Explorer is a fluent UI for ADB on Windows. Prior to Beta 0.9.26020, ADB Explorer is vulnerable to Insecure Deserialization leading to Remote Code Execution. The application attempts to deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set to Objects. This allows an attacker to supply a crafted JSON file containing a gadget chain (e.g., ObjectDataProvider) to execute arbitrary code when the application launches and subsequently saves its settings. This vulnerability is fixed in Beta 0.9.26020."
        }
      ],
      "affected": [
        {
          "vendor": "Alex4SSB",
          "product": "ADB-Explorer",
          "versions": [
            {
              "version": "< Beta 0.9.26020",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "cweId": "CWE-502",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/Alex4SSB/ADB-Explorer/security/advisories/GHSA-49qx-wpxj-p4mh",
          "name": "https://github.com/Alex4SSB/ADB-Explorer/security/advisories/GHSA-49qx-wpxj-p4mh",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        },
        {
          "url": "https://github.com/Alex4SSB/ADB-Explorer/issues/294",
          "name": "https://github.com/Alex4SSB/ADB-Explorer/issues/294",
          "tags": [
            "x_refsource_MISC"
          ]
        },
        {
          "url": "https://github.com/Alex4SSB/ADB-Explorer/commit/776f132cede86e1405520f2a28c78276dda5ab5a",
          "name": "https://github.com/Alex4SSB/ADB-Explorer/commit/776f132cede86e1405520f2a28c78276dda5ab5a",
          "tags": [
            "x_refsource_MISC"
          ]
        },
        {
          "url": "https://github.com/Alex4SSB/ADB-Explorer/releases/tag/v0.9.26020",
          "name": "https://github.com/Alex4SSB/ADB-Explorer/releases/tag/v0.9.26020",
          "tags": [
            "x_refsource_MISC"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "attackVector": "LOCAL",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "REQUIRED",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH"
          }
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-02-13T19:21:56.476Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}