300+ mobile vulnerabilities we've found in the apps you've heard of

Every CVE listed here has been discovered and responsibly disclosed by Oversecured. They show our ongoing work to find real security issues and help make mobile apps safer. Every entry is verifiable in the National Vulnerability Database.

185

CVEs disclosed

185

CVEs disclosed

156

Brands rewarded us

156

Brands rewarded us

9

Vendor CVE programs

9

Android ecosystems

185 CVEs found by our scanner only.
Every one public in NVD

Each link below resolves to the National Vulnerability Database. Click any CVE to independently verify the disclosure, severity score, and affected vendor. We don't ask you to trust us — we ask you to check.

For media / press:

These CVEs were discovered by Oversecured's mobile-specific taint analysis engine, running autonomously against production Android applications. Every entry is independently verifiable in the National Vulnerability Database.

CVE-2019-5765

Sensitive information disclosure

An exposed debugging endpoint in the browser in Google Chrome on Android prior to 72.0.3626.81 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted Intent.

CVE-2020-8913

Arbitrary code execution

A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2.

CVE-2021-0444

Information disclosure

onActivityResult of QuickContactActivity.java has unnecessary return of an intent, which could lead to local information disclosure of contact data.

CVE-2021-0550

Storage permission bypass

onLoadFailed of AnnotateActivity.java has a possible way to gain WRITE_EXTERNAL_STORAGE permissions without user consent due to a confused deputy, which could lead to local escalation of privilege.

CVE-2021-0600

Device admin activation bypass

onCreate of DeviceAdminAdd.java has a possible way to mislead a user to activate a device admin app due to improper input validation, which could lead to local escalation of privilege.

CVE-2021-23863

HTML code injection

HTML code injection vulnerability in Android Application, Bosch Video Security, version 3.2.3.

CVE-2021-25356

Arbitrary app installation

An improper caller check vulnerability in Managed Provisioning prior to SMR APR-2021 Release 1 allows unprivileged application to install arbitrary application.

CVE-2021-25377

Intent redirection

Intent redirection in Samsung Experience Service versions 10.8.0.4 in Android P(9.0) below, and 12.2.0.5 in Android Q(10.0) above allows attacker to execute privileged action.

CVE-2021-25379

Intent redirection

Intent redirection vulnerability in Gallery prior to version 5.4.16.1 allows attacker to execute privileged action.

CVE-2021-25388

Improper caller validation

Improper caller check vulnerability in Knox Core prior to SMR MAY-2021 Release 1 allows attackers to install arbitrary app.

CVE-2021-25390

Intent redirection

Intent redirection vulnerability in PhotoTable prior to SMR MAY-2021 Release 1 allows attackers to execute privileged action.

CVE-2021-25391

Intent redirection

Intent redirection vulnerability in Secure Folder prior to SMR MAY-2021 Release 1 allows attackers to execute privileged action.

CVE-2021-25392

Sensitive information disclosure

Improper protection of backup path configuration in Samsung Dex prior to SMR MAY-2021 Release 1 allows local attackers to get sensitive information via changing the path.

CVE-2021-25393

Improper input sanitization

Improper sanitization of incoming intent in SecSettings prior to SMR MAY-2021 Release 1 allows local attackers to get permissions to access system uid data.

CVE-2021-25397

Arbitrary file access

An improper access control vulnerability in TelephonyUI prior to SMR MAY-2021 Release 1 allows local attackers to write arbitrary files of telephony process via untrusted applications.

CVE-2019-5765

Sensitive information disclosure

An exposed debugging endpoint in the browser in Google Chrome on Android prior to 72.0.3626.81 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted Intent.

CVE-2020-8913

Arbitrary code execution

A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2.

CVE-2021-0444

Information disclosure

onActivityResult of QuickContactActivity.java has unnecessary return of an intent, which could lead to local information disclosure of contact data.

CVE-2021-0550

Storage permission bypass

onLoadFailed of AnnotateActivity.java has a possible way to gain WRITE_EXTERNAL_STORAGE permissions without user consent due to a confused deputy, which could lead to local escalation of privilege.

CVE-2021-0600

Device admin activation bypass

onCreate of DeviceAdminAdd.java has a possible way to mislead a user to activate a device admin app due to improper input validation, which could lead to local escalation of privilege.

CVE-2021-23863

HTML code injection

HTML code injection vulnerability in Android Application, Bosch Video Security, version 3.2.3.

CVE-2021-25356

Arbitrary app installation

An improper caller check vulnerability in Managed Provisioning prior to SMR APR-2021 Release 1 allows unprivileged application to install arbitrary application.

CVE-2021-25377

Intent redirection

Intent redirection in Samsung Experience Service versions 10.8.0.4 in Android P(9.0) below, and 12.2.0.5 in Android Q(10.0) above allows attacker to execute privileged action.

They fixed zero-day vulnerabilities after our reports

9 companies accepted our submissions through official CVE programs, and 156 more accepted them through their bug bounty programs. Every brand below validated the findings and paid for them.

Vendor CVE Programs

Bug Bounty Programs

Airbnb

Airbnb

Keeper Security

Keeper Security

MercadoLibre

MercadoLibre

Netflix

Netflix

Goldman Sachs

Goldman Sachs

Zendesk

Zendesk

Greenhouse

Greenhouse

PicPay

PicPay

Flipboard

Flipboard

Slack

Slack

Fox News

Fox News

TECNO

TECNO

WW International

WW International

The Times of India

The Times of India

Ring

Ring

Emirates

Emirates

giffgaff

giffgaff

WPS Office

WPS Office

TikTok

TikTok

Amazon

Amazon

Smule

Smule

Marktplaats

Marktplaats

VMware

VMware

Nutanix

Nutanix

Resideo

Resideo

American Express

American Express

Wish

Wish

Codacy

Codacy

Rabobank

Rabobank

DiDi

DiDi

Facebook

Facebook

8x8

8x8

Snapchat

Snapchat

Twitter

Twitter

Duolingo

Duolingo

Zebra

Zebra

Flickr

Flickr

LINE

LINE

Booking.com

Booking.com

Uber

Uber

Spotify

Spotify

Zoom

Zoom

Agoda

Agoda

LinkedIn

LinkedIn

C6 Bank

C6 Bank

thredUP

thredUP

Reddit

Reddit

Vimeo

Vimeo

Starbucks

Starbucks

RecargaPay

RecargaPay

PayPal

PayPal

Rappi

Rappi

Yahoo!

Yahoo!

Slickdeals

Slickdeals

Zalo

Zalo

Kakao

Kakao

Wickr

Wickr

TripAdvisor

TripAdvisor

Coinbase

Coinbase

Dropbox

Dropbox

Wynk

Wynk

Evernote

Evernote

Wattpad

Wattpad

OfficeSuite

OfficeSuite

Indeed

Indeed

Badoo

Badoo

Lark

Lark

Microsoft

Microsoft

Omio

Omio

SHEIN

SHEIN

Workday

Workday

N26

N26

A.S. Watson

A.S. Watson

ROMWE

ROMWE

Zalora

Zalora

PicsArt

PicsArt

WeChat

WeChat

HAGO

HAGO

Likee

Likee

eBay

eBay

Behind our security research

Inspired by the best transparency practices in security research, we share our scope openly, document our process, and welcome feedback

What a CVE means

Each CVE listed was:

  • Discovered by Oversecured's mobile-specific engine

  • Reported to the affected vendor through their disclosure process

  • Accepted, patched, and assigned a CVE ID by the vendor or MITRE

  • Publicly available in the NVD after coordinated disclosure.

What a bug bounty brand means

Each company listed:

  • Operated a bug bounty program that accepted mobile app reports

  • Accepted a vulnerability report submitted by Oversecured

  • Validated the finding as real and actionable

  • Paid a monetary reward for the disclosure

What this page doesn't include

The scope of the research:

  • Private findings disclosed under NDA are not counted here

  • Customer scans performed on behalf of our enterprise customers are not included

  • Duplicate or informational bounty reports are not counted

  • We don't claim CVE discovery for bugs found by other researchers

How we update this page

This is how our team reviews this page:


  • New CVEs added within one week of public NVD availability

  • New bug bounty brands added as vendors permit disclosure

  • The page is versioned in git — historic counts are reproducible

  • Press inquiries: marketing@oversecured.com

Every one of these bugs was found by an automated scanner, not by a human pentester

If Oversecured found these issues in production apps from some of the world’s biggest brands, it can find similar issues in yours.

Blog

Case Studies

Partner

Wall of fame

Dynamic Analysis (DAST)

Static Analysis (SAST)

Interactive Analysis (IAST)

2026 © Oversecured

follow us

LinkedIn

Twitter (X)

Privacy Policy

Terms of use

go up ↑

go up ↑

follow us

LinkedIn

Twitter (X)

Privacy Policy

Terms of use

2026 © Oversecured

Blog

Partner

Wall of fame

Dynamic Analysis (DAST)

Static Analysis (SAST)

Interactive Analysis (IAST)

Case Studies

Blog

Case Studies

Partner

Wall of fame

Dynamic Analysis (DAST)

Static Analysis (SAST)

Interactive Analysis (IAST)

2026 © Oversecured

follow us

LinkedIn

Twitter (X)

Privacy Policy

Terms of use

go up ↑