PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-57848 stoatchat CVE debrief

The Stoat for Android application contains a vulnerability that allows an attacker to disclose internal files by exploiting the ShareTargetActivity component. This component is exported and can be reached by any process on the device via the android.intent.action.SEND intent. The activity does not validate or filter the incoming URI before using it as an outgoing attachment, allowing an attacker to pass a file:// URI pointing to the application's internal storage. This can lead to the disclosure of sensitive information such as the local Stoat database, authentication tokens, and other files readable by the app process.

Vendor
stoatchat
Product
Stoat for Android
CVSS
MEDIUM 6.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-18
Original CVE updated
2026-07-18
Advisory published
2026-07-18
Advisory updated
2026-07-18

Who should care

Users of Stoat for Android, security teams responsible for managing mobile device security, and developers of Android applications should be aware of this vulnerability and take necessary precautions to mitigate the risk.

Technical summary

The Stoat for Android application exports the chat.stoat.activities.ShareTargetActivity component, which can be invoked by any process on the device via the android.intent.action.SEND intent. The activity accepts a file to share as a URI supplied through the android.intent.extra.STREAM extra. However, it does not validate or filter the incoming URI before using it as the outgoing attachment. This allows an attacker to pass a file:// URI pointing to the application's internal storage, such as /data/data/chat.revolt/databases/revolt.db, cached authentication token files, or preferences. The attacker can then cause the victim to send the internal file to any Stoat channel or user of their choosing, with the file being displayed as 'attachment' with no filename indication.

Defensive priority

High

Recommended defensive actions

  • Apply the vendor's patch or update to a version that addresses this vulnerability
  • Restrict access to the ShareTargetActivity component to only trusted sources
  • Implement additional security measures to protect sensitive information stored in the application's internal storage
  • Monitor for suspicious activity related to the Stoat for Android application
  • Educate users on the risks associated with this vulnerability and the importance of keeping their applications up to date

Evidence notes

The CVE record was published on 2026-07-18T20:17:30.427Z and has not been modified since then. The NVD entry is currently in the 'Received' state. The vulnerability was reported by Vulncheck and is related to the Stoat for Android application.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T20:17:30.427Z and has not been modified since then. The NVD entry is currently Received.