CVE-2026-4219

LOW

INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App ae.index.apgcs BuildConfig.java hard-coded credentials

Title source: cna

Description

A flaw has been found in INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android. Affected by this vulnerability is an unknown functionality of the file com/index/event/BuildConfig.java of the component ae.index.apgcs. Executing a manipulation of the argument ACCESS_KEY/HASH_KEY can lead to hard-coded credentials. The attack is restricted to local execution. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (5)

[Various Sources] https://www.notion.so/Authorization-Credentials-in-ae-index-apgcs-Lead-to-Exposure-of-Backend-Secrets-3172de3f97fb8040bc30c5519a742251

[Vdb Entry, Technical Description] https://vuldb.com/?id.351143

[Signature, Permissions Required] https://vuldb.com/?ctiid.351143

[Third Party Advisory] https://vuldb.com/?submit.770513

[Exploit] https://www.notion.so/Authorization-Credentials-in-ae-index-apgcs-Lead-to-Exposure-of-Backend-Secrets-3172de3f97fb8040bc30c5519a742251?source=copy_link

Scores

CVSS v3 3.3

EPSS 0.0001

EPSS Percentile 1.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-259 CWE-798

Status published

Products (3)

INDEX Conferences & Exhibitions Organization/YWF BPOF APGCS App 1.0.0

INDEX Conferences & Exhibitions Organization/YWF BPOF APGCS App 1.0.1

INDEX Conferences & Exhibitions Organization/YWF BPOF APGCS App 1.0.2

Published Mar 16, 2026

Tracked Since Mar 16, 2026