CVE-2026-27615

ADB Explorer is a fluent UI for ADB on Windows. In versions prior to Beta 0.9.26022, ADB-Explorer allows the `ManualAdbPath` settings variable, which determines the path of the ADB binary to be executed, to be set to a Universal Naming Convention (UNC) path in the application's settings file. This allows an attacker to set the binary's path to point to a remote network resource, hosted on an attacker-controlled network share, thus granting the attacker full control over the binary being executed by the app. An attacker may leverage this vulnerability to execute code remotely on a victim's machine with the privileges of the user running the app. Exploitation is made possible by convincing a victim to run a shortcut of the app that points to a custom `App.txt` settings file, which sets `ManualAdbPath` (for example, when downloaded in an archive file). Version Beta 0.9.26022 fixes the issue.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Alex4SSB/ADB-Explorer/security/advisories/GHSA-3f27-jp2g-hwhr	Exploit Vendor Advisory
https://github.com/Alex4SSB/ADB-Explorer/security/advisories/GHSA-3f27-jp2g-hwhr	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:alex4ssb:adb_explorer:*:*:*:*:*:windows:*:*

History

No history.

Information

Published : 2026-02-25 03:16

Updated : 2026-02-27 19:04

NVD link : CVE-2026-27615

Mitre link : CVE-2026-27615

CVE.ORG link : CVE-2026-27615

JSON object : View

Products Affected

alex4ssb

adb_explorer

CWE

CWE-40

Path Traversal: '\\UNC\share\name\' (Windows UNC Share)

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

{"id": "CVE-2026-27615", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-25T03:16:05.990", "references": [{"url": "https://github.com/Alex4SSB/ADB-Explorer/security/advisories/GHSA-3f27-jp2g-hwhr", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Alex4SSB/ADB-Explorer/security/advisories/GHSA-3f27-jp2g-hwhr", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-40"}, {"lang": "en", "value": "CWE-829"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-829"}]}], "descriptions": [{"lang": "en", "value": "ADB Explorer is a fluent UI for ADB on Windows. In versions prior to Beta 0.9.26022, ADB-Explorer allows the `ManualAdbPath` settings variable, which determines the path of the ADB binary to be executed, to be set to a Universal Naming Convention (UNC) path in the application's settings file. This allows an attacker to set the binary's path to point to a remote network resource, hosted on an attacker-controlled network share, thus granting the attacker full control over the binary being executed by the app. An attacker may leverage this vulnerability to execute code remotely on a victim's machine with the privileges of the user running the app. Exploitation is made possible by convincing a victim to run a shortcut of the app that points to a custom `App.txt` settings file, which sets `ManualAdbPath` (for example, when downloaded in an archive file). Version Beta 0.9.26022 fixes the issue."}, {"lang": "es", "value": "ADB Explorer es una interfaz de usuario fluida para ADB en Windows. En versiones anteriores a Beta 0.9.26022, ADB-Explorer permite que la variable de configuraci\u00f3n 'ManualAdbPath', que determina la ruta del binario ADB a ejecutar, se establezca en una ruta de Convenci\u00f3n de Nomenclatura Universal (UNC) en el archivo de configuraci\u00f3n de la aplicaci\u00f3n. Esto permite a un atacante establecer la ruta del binario para que apunte a un recurso de red remoto, alojado en un recurso compartido de red controlado por el atacante, otorgando as\u00ed al atacante control total sobre el binario que ejecuta la aplicaci\u00f3n. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo de forma remota en la m\u00e1quina de una v\u00edctima con los privilegios del usuario que ejecuta la aplicaci\u00f3n. La explotaci\u00f3n es posible al convencer a una v\u00edctima de ejecutar un acceso directo de la aplicaci\u00f3n que apunta a un archivo de configuraci\u00f3n 'App.txt' personalizado, que establece 'ManualAdbPath' (por ejemplo, cuando se descarga en un archivo comprimido). La versi\u00f3n Beta 0.9.26022 corrige el problema."}], "lastModified": "2026-02-27T19:04:28.260", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:alex4ssb:adb_explorer:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "C02EA1E7-E0FF-4607-A021-2FB1BC886AB7", "versionEndExcluding": "0.9.26022"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}