CVE-2026-4243

LOW

La Nacion App app.lanacion.activity BuildConfig.java credentials storage

Title source: cna

Description

A weakness has been identified in La Nacion App 10.2.25 on Android. This impacts an unknown function of the file source/app/lanacion/clublanacion/BuildConfig.java of the component app.lanacion.activity. Executing a manipulation of the argument API_KEY_WEBSOCKET_CV can lead to unprotected storage of credentials. The attack can only be executed locally. A high complexity level is associated with this attack. The exploitability is said to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-351185 | La Nacion App app.lanacion.activity BuildConfig.java credentials storage

https://vuldb.com/?id.351185

Signature, Permissions Required signature permissions-required

VDB-351185 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.351185

Third Party Advisory third-party-advisory

Submit #771432 | SA LA NACION LA NACION(app.lanacion.activity) 10.2.25 WebSocket Credential Leak

https://vuldb.com/?submit.771432

Exploit exploit

https://www.notion.so/WebSocket-Credential-Leak-Leading-to-Potential-DDoS-Attacks-in-app-lanacion-activity-3192de3f97fb80f8add6c2247abeb4eb?source=copy_link

Scores

CVSS v3 2.5

EPSS 0.0011

EPSS Percentile 1.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-255 CWE-256

Status published

Products (1)

n/a/La Nacion App 10.2.25

Published Mar 16, 2026

Tracked Since Mar 16, 2026