CVE-2025-68709

MEDIUM

SailingLab AppLock 4.3.8 - Arbitrary JavaScript Execution via BrowserMainActivity

Title source: llm

Description

SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker to trigger arbitrary JavaScript execution via BrowserMainActivity, which accepts VIEW intents with javascript: URIs. This unsafe navigation path results in script execution and may allow UI spoofing or privilege escalation.

References (3)

Core 3

Core References

https://play.google.com/store/apps/details?id=com.alpha.applock

https://github.com/actuator/com.alpha.applock

View Writeup ZIP pw:eip

https://github.com/actuator/com.alpha.applock/blob/main/CVE-2025-68709

View Writeup ZIP pw:eip

Scores

CVSS v3 5.2

EPSS 0.0018

EPSS Percentile 7.4%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Published May 26, 2026

Tracked Since May 27, 2026