[Japanese]

JVNDB-2026-016626

Android App "RoboForm Password Manager" insufficient validation of Android intents

Overview

Android App "RoboForm Password Manager" provided by Siber Systems, Inc. accepts intents from other applications to open relevant web pages (e.g., login pages), but without sufficient URL validation, user confirmation nor notification.
  • Insufficient UI Warning of Dangerous Operations (CWE-357) - CVE-2026-47782
  • The CVSS vectors above assume that a victim user is directed to install some malicious app, and the app sends an intent to make RoboForm to download some files silently
Johan Francsics reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 3.3 (Low) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
Affected Products


Siber Systems Inc.
  • RoboForm Password Manager (Android App) versions 9.8.6.3 and prior

iOS App is not affected by the vulnerability.
Impact

If a URL to some malicious web page is given through an intent, RoboForm may silently download files without user confirmation nor notification.
Solution

[Update the App]
Update the app to the latest version according to the information provided by the developer.
Vendor Information

Siber Systems Inc.
CWE (What is CWE?)

  1. Insufficient UI Warning of Dangerous Operations(CWE-357) [Other]
CVE (What is CVE?)

  1. CVE-2026-47782
References

  1. JVN : JVNVU#93461473
Revision History

  • [2026/05/21]
      Web page was published

Date Public2026/05/20
Date First Published2026/05/21
Date Last Updated2026/05/21