PatchSiren cyber security CVE debrief
CVE-2026-57848 stoatchat CVE debrief
The Stoat for Android application contains a vulnerability that allows an attacker to disclose internal files by exploiting the ShareTargetActivity component. This component is exported and can be reached by any process on the device via the android.intent.action.SEND intent. The activity does not validate or filter the incoming URI before using it as an outgoing attachment, allowing an attacker to pass a file:// URI pointing to the application's internal storage. This can lead to the disclosure of sensitive information such as the local Stoat database, authentication tokens, and other files readable by the app process.
- Vendor
- stoatchat
- Product
- Stoat for Android
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-18
- Original CVE updated
- 2026-07-18
- Advisory published
- 2026-07-18
- Advisory updated
- 2026-07-18
Who should care
Users of Stoat for Android, security teams responsible for managing mobile device security, and developers of Android applications should be aware of this vulnerability and take necessary precautions to mitigate the risk.
Technical summary
The Stoat for Android application exports the chat.stoat.activities.ShareTargetActivity component, which can be invoked by any process on the device via the android.intent.action.SEND intent. The activity accepts a file to share as a URI supplied through the android.intent.extra.STREAM extra. However, it does not validate or filter the incoming URI before using it as the outgoing attachment. This allows an attacker to pass a file:// URI pointing to the application's internal storage, such as /data/data/chat.revolt/databases/revolt.db, cached authentication token files, or preferences. The attacker can then cause the victim to send the internal file to any Stoat channel or user of their choosing, with the file being displayed as 'attachment' with no filename indication.
Defensive priority
High
Recommended defensive actions
- Apply the vendor's patch or update to a version that addresses this vulnerability
- Restrict access to the ShareTargetActivity component to only trusted sources
- Implement additional security measures to protect sensitive information stored in the application's internal storage
- Monitor for suspicious activity related to the Stoat for Android application
- Educate users on the risks associated with this vulnerability and the importance of keeping their applications up to date
Evidence notes
The CVE record was published on 2026-07-18T20:17:30.427Z and has not been modified since then. The NVD entry is currently in the 'Received' state. The vulnerability was reported by Vulncheck and is related to the Stoat for Android application.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T20:17:30.427Z and has not been modified since then. The NVD entry is currently Received.