SecuriTricks - CVE-2026-12189

Description

A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android. This affects an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in handler for custom url scheme. The attack can only be executed locally. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Product(s) Impacted

Vendor	Product	Versions
Moovit	Bus And Public Transit App	1.18

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-285

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	moovit	bus_and_public_transit_app	1.18	/	/	/	/	/	/	/

References

https://drive.google.com/file/d/1lKtJX8mhbGTiMarv2H3psd9iombJ-dIn/view?usp=sharing

https://github.com/honestcorrupt/MOOVIT-CVE-.git

https://vuldb.com/cve/CVE-2026-12189

https://vuldb.com/submit/824449

https://vuldb.com/vuln/370835

https://vuldb.com/vuln/370835/cti

CVSS Score

1.9 / 10

CVSS Data - 4.0

Attack Vector: LOCAL
Attack Complexity: LOW
Attack Requirements: NONE
Privileges Required: LOW
User Interaction: NONE
Scope:
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: LOW
Exploit Maturity: PROOF_OF_CONCEPT

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: June 14, 2026, 11:16 p.m.
Last Modified: June 14, 2026, 11:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-12189