CVE-2023-42471

CRITICAL

wave.ai.browser < 1.0.35 - Remote Code Execution via Crafted Intent

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-42471. PoCs published by actuator.

AI-analyzed exploit summary The repository contains a detailed technical analysis of CVE-2023-42471, an arbitrary code execution vulnerability in wave.ai.browser due to an exported SplashScreen activity that improperly handles intent data. The writeup includes manifest analysis, PoC intent creation examples, and mitigation recommendations.

Description

The wave.ai.browser application through 1.0.35 for Android allows a remote attacker to execute arbitrary JavaScript code via a crafted intent. It contains a manifest entry that exports the wave.ai.browser.ui.splash.SplashScreen activity. This activity uses a WebView component to display web content and doesn't adequately validate or sanitize the URI or any extra data passed in the intent by a third party application (with no permissions).

Exploits (1)

nomisec WRITEUP 1 stars

by actuator · poc

https://github.com/actuator/wave.ai.browser

View Code ZIP pw:eip

The repository contains a detailed technical analysis of CVE-2023-42471, an arbitrary code execution vulnerability in wave.ai.browser due to an exported SplashScreen activity that improperly handles intent data. The writeup includes manifest analysis, PoC intent creation examples, and mitigation recommendations.

Classification

Writeup 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: wave.ai.browser version 1.0.38

No auth needed

Prerequisites: Malicious app installed on the same device · wave.ai.browser version 1.0.38 installed

MITRE ATT&CK

T1059.007 - JavaScript T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory

https://github.com/actuator/cve/blob/main/CVE-2023-42471

Exploit

https://github.com/actuator/wave.ai.browser/blob/main/CWE-94.md

View Exploit ZIP pw:eip

Exploit

https://github.com/actuator/wave.ai.browser/blob/main/poc.apk

View Exploit ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0142

EPSS Percentile 69.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

wave-ai/wave < 1.0.35

Published Sep 11, 2023

Tracked Since Feb 18, 2026