CVE-2023-43955

CRITICAL

TV Bro <=2.0.0 - Code Execution via WebView External Intents

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-43955. PoCs published by actuator.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2023-43955, focusing on arbitrary file creation and remote JavaScript code execution in the `com.phlox.tvwebbrowser` application. It includes proof-of-concept code demonstrating how an attacker can exploit the WebView component to create arbitrary files and execute malicious JavaScript.

Description

The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. This allows attackers to execute arbitrary code, create arbitrary files. and perform arbitrary downloads via JavaScript that uses takeBlobDownloadData.

Exploits (1)

nomisec WRITEUP 1 stars
by actuator · poc
https://github.com/actuator/com.phlox.tvwebbrowser

The repository provides a detailed technical analysis of CVE-2023-43955, focusing on arbitrary file creation and remote JavaScript code execution in the `com.phlox.tvwebbrowser` application. It includes proof-of-concept code demonstrating how an attacker can exploit the WebView component to create arbitrary files and execute malicious JavaScript.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: com.phlox.tvwebbrowser <= 2.0.0
No auth needed
Prerequisites: Victim must open a malicious URL or HTML file in the vulnerable browser
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.0126
EPSS Percentile 65.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (1)
fedirtsapana/tv_bro < 2.0.0
Published Dec 27, 2023
Tracked Since Feb 18, 2026