CVE-2012-6636

Android API < 16.0 - Remote Code Execution via WebView.addJavascriptInterface

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2012-6636. PoCs published by Metasploit, Snip3R69, xckevin, including Metasploit module exploits/android/browser/webview_addjavascriptinterface.

AI-analyzed exploit summary This Metasploit module exploits a privilege escalation vulnerability in Android < 4.2's WebView component by injecting malicious JavaScript to execute arbitrary commands via exposed Java Reflection APIs. It targets vulnerable Android browsers or WebViews with added JavaScript interfaces.

Description

The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application targeted to API level 16 or earlier, a related issue to CVE-2013-4710.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalandroid
https://www.exploit-db.com/exploits/41675

This Metasploit module exploits a privilege escalation vulnerability in Android < 4.2's WebView component by injecting malicious JavaScript to execute arbitrary commands via exposed Java Reflection APIs. It targets vulnerable Android browsers or WebViews with added JavaScript interfaces.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Android Browser and WebView < 4.2
No auth needed
Prerequisites: Vulnerable Android device with WebView or Browser app exposing addJavascriptInterface · Ability to deliver malicious JavaScript (e.g., via MITM or XSS)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Snip3R69 · poc
https://github.com/Snip3R69/CVE-2013-4710-WebView-RCE-Vulnerability

This repository contains a proof-of-concept exploit for CVE-2013-4710, demonstrating how JavaScript in a WebView can execute arbitrary commands on Android devices via reflection. The exploit leverages the `addJavascriptInterface` method to gain RCE by accessing the `Runtime` class.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Android WebView (versions below 4.2)
No auth needed
Prerequisites: Android app with WebView using `addJavascriptInterface` · SD card read/write permissions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by xckevin · poc
https://github.com/xckevin/AndroidWebviewInjectDemo

This PoC demonstrates CVE-2012-6636, an Android WebView vulnerability where JavaScript can access exposed Java objects via addJavascriptInterface. The demo loads a local HTML file and enables JavaScript interaction with the injected object.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Android WebView (versions affected by CVE-2012-6636)
No auth needed
Prerequisites: Android device with vulnerable WebView implementation · Ability to load malicious HTML/JS into WebView
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by jduck, joev · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/android/browser/webview_addjavascriptinterface.rb

This Metasploit module exploits a privilege escalation vulnerability in Android < 4.2's WebView component by leveraging the addJavascriptInterface method to execute arbitrary commands via Java Reflection APIs. It serves an exploit payload to vulnerable clients, supporting multiple architectures (ARM, MIPS, x86).

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Android Browser and WebView < 4.2
No auth needed
Prerequisites: Vulnerable Android device with WebView < 4.2 · Ability to deliver malicious JavaScript to the target (e.g., via MITM or XSS)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2014/02/07/9
Various Sources x_refsource_misc
http://50.56.33.56/blog/?p=314
Third Party Advisory third-party-advisory x_refsource_jvn
http://jvn.jp/en/jp/JVN62161191/index.html

Scores

EPSS 0.4109
EPSS Percentile 98.5%

Details

CWE
CWE-264
Status published
Products (16)
google/android_api 1.0
google/android_api 2.0
google/android_api 3.0
google/android_api 4.0
google/android_api 5.0
google/android_api 6.0
google/android_api 7.0
google/android_api 8.0
google/android_api 9.0
google/android_api 10.0
... and 6 more
Published Mar 03, 2014
Tracked Since Feb 18, 2026