CVE-2026-58460
HighCVSS 7.7Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
The react-native-receive-sharing-intent library contains a path traversal vulnerability that allows a malicious app to write files outside the intended cache directory by supplying a crafted _display_name value with dot-dot path components. An attacker can send an ACTION_SEND intent to the exported share-receiver activity to overwrite arbitrary files in the app's private data directory, including databases, shared preferences, and cached configuration.
Risk Assessment
The risk involves overwriting critical application files such as databases or preferences, potentially leading to privilege escalation, data theft, or full application compromise by the attacker.
Recommendation
It is recommended to immediately update the react-native-receive-sharing-intent library to the latest patched version and restrict the export of the share-receiver activity to trusted applications only.
Original NVD description (English source)
react-native-receive-sharing-intent contains a path traversal vulnerability that allows a co-resident malicious application to write files outside the intended cache directory by supplying a crafted _display_name value containing dot-dot path components through a malicious ContentProvider. Attackers can fire an explicit ACTION_SEND intent at the consuming app's exported share-receiver activity to overwrite arbitrary files in the consuming app's private data directory, including databases, shared preferences, and cached configuration, with attacker-controlled content.

