CVE-2026-27615

HIGH

7.8

Description

ADB Explorer is a fluent UI for ADB on Windows. In versions prior to Beta 0.9.26022, ADB-Explorer allows the `ManualAdbPath` settings variable, which determines the path of the ADB binary to be executed, to be set to a Universal Naming Convention (UNC) path in the application's settings file. This allows an attacker to set the binary's path to point to a remote network resource, hosted on an attacker-controlled network share, thus granting the attacker full control over the binary being executed by the app. An attacker may leverage this vulnerability to execute code remotely on a victim's machine with the privileges of the user running the app. Exploitation is made possible by convincing a victim to run a shortcut of the app that points to a custom `App.txt` settings file, which sets `ManualAdbPath` (for example, when downloaded in an archive file). Version Beta 0.9.26022 fixes the issue.

CVE Details

CVSS v3.1 Score7.8

SeverityHIGH

CVSS VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack VectorLOCAL

ComplexityLOW

Privileges RequiredNONE

User InteractionREQUIRED

Published2/25/2026

Last Modified2/27/2026

Sourcenvd

Honeypot Sightings0

Affected Products

alex4ssb:adb_explorer

Weaknesses (CWE)

CWE-40CWE-829CWE-829

References

https://github.com/Alex4SSB/ADB-Explorer/security/advisories/GHSA-3f27-jp2g-hwhr(security-advisories@github.com)

https://github.com/Alex4SSB/ADB-Explorer/security/advisories/GHSA-3f27-jp2g-hwhr(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.