Home

Description

A flaw has been found in INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android. Affected by this vulnerability is an unknown functionality of the file com/index/event/BuildConfig.java of the component ae.index.apgcs. Executing a manipulation of the argument ACCESS_KEY/HASH_KEY can lead to hard-coded credentials. The attack is restricted to local execution. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

PUBLISHED Reserved 2026-03-15 | Published 2026-03-16 | Updated 2026-03-16 | Assigner VulDB




MEDIUM: 4.8CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
LOW: 3.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
LOW: 3.3CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
1.7AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR

Problem types

Hard-coded Credentials

Use of Hard-coded Password

Product status

1.0.0
affected

1.0.1
affected

1.0.2
affected

Timeline

2026-03-15:Advisory disclosed
2026-03-15:VulDB entry created
2026-03-15:VulDB entry last update

Credits

fxizenta (VulDB User) reporter

VulDB coordinator

References

www.notion.so/...nd-Secrets-3172de3f97fb8040bc30c5519a742251 exploit

vuldb.com/?id.351143 (VDB-351143 | INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App ae.index.apgcs BuildConfig.java hard-coded credentials) vdb-entry technical-description

vuldb.com/?ctiid.351143 (VDB-351143 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.770513 (Submit #770513 | INDEX Conferences & Exhibitions Organization L.L.C YWF | BPOF | APGCS 1.0.2 Authorization Credential Exposure) third-party-advisory

www.notion.so/...3f97fb8040bc30c5519a742251?source=copy_link exploit

cve.org (CVE-2026-4219)

nvd.nist.gov (CVE-2026-4219)

Download JSON