CVE-2026-12189

MEDIUM

Moovit Bus & Public Transit App com.tranzmate improper authorization in handler for custom url scheme

Title source: cna

Description

A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android. This affects an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in handler for custom url scheme. The attack can only be executed locally. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (6)

Core 6

Core References

Vdb Entry vdb-entry

VDB-370835 | Moovit Bus & Public Transit App com.tranzmate improper authorization in handler for custom url scheme

https://vuldb.com/vuln/370835

Signature, Permissions Required signature permissions-required

VDB-370835 | CTI Indicators (IOB, IOC)

https://vuldb.com/vuln/370835/cti

Third Party Advisory third-party-advisory

CVE-2026-12189 | CVE Analysis and Report

https://vuldb.com/cve/CVE-2026-12189

Third Party Advisory third-party-advisory

Submit #824449 | Moovit Moovit Android Application 1.18 Improper Input Validation / Insecure Deep Link Handling / WebVie

https://vuldb.com/submit/824449

Exploit exploit

https://drive.google.com/file/d/1lKtJX8mhbGTiMarv2H3psd9iombJ-dIn/view?usp=sharing

Scores

CVSS v3 5.3

EPSS 0.0010

EPSS Percentile 1.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-285 CWE-939

Status published

Products (1)

Moovit/Bus & Public Transit App 1.18

Published Jun 14, 2026

Tracked Since Jun 15, 2026