Home

Description

ADB Explorer is a fluent UI for ADB on Windows. Prior to Beta 0.9.26020, ADB Explorer is vulnerable to Insecure Deserialization leading to Remote Code Execution. The application attempts to deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set to Objects. This allows an attacker to supply a crafted JSON file containing a gadget chain (e.g., ObjectDataProvider) to execute arbitrary code when the application launches and subsequently saves its settings. This vulnerability is fixed in Beta 0.9.26020.

PUBLISHED Reserved 2026-02-11 | Published 2026-02-13 | Updated 2026-02-13 | Assigner GitHub_M




HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-502: Deserialization of Untrusted Data

Product status

< Beta 0.9.26020
affected

References

github.com/...plorer/security/advisories/GHSA-49qx-wpxj-p4mh

github.com/Alex4SSB/ADB-Explorer/issues/294

github.com/...ommit/776f132cede86e1405520f2a28c78276dda5ab5a

github.com/Alex4SSB/ADB-Explorer/releases/tag/v0.9.26020

cve.org (CVE-2026-26208)

nvd.nist.gov (CVE-2026-26208)

Download JSON