Published:2026/05/20 Last Updated:2026/05/20
JVNVU#93461473
Android App "RoboForm Password Manager" insufficient validation of Android intents
Overview
Android App "RoboForm Password Manager" provided by Siber Systems, Inc. handles Android intents without sufficient validation.
Products Affected
- Android App "RoboForm Password Manager" versions 9.8.6.3 and prior
Description
Android App "RoboForm Password Manager" provided by Siber Systems, Inc. accepts intents from other applications to open relevant web pages (e.g., login pages), but without sufficient URL validation, user confirmation nor notification.
- Insufficient UI Warning of Dangerous Operations (CWE-357)
- CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 4.6
- CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 3.3
- CVE-2026-47782
- The CVSS vectors above assume that a victim user is directed to install some malicious app, and the app sends an intent to make RoboForm to download some files silently
Impact
If a URL to some malicious web page is given through an intent, RoboForm may silently download files without user confirmation nor notification.
Solution
Update the App
Update the app to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Siber Systems, Inc. | RoboForm Password Manager |
| RoboForm for Android Version News |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Johan Francsics reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2026-47782 |
| JVN iPedia |
|