CVE Catalog

CVE-2026-9221

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile — higher than 6% of all known CVEs

Summary

The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID.

Risk Assessment

Exposure of the session ID allows an attacker to impersonate the legitimate user and issue authenticated API requests, potentially leading to unauthorized access to data and application functions.

Recommendation

Immediately update the Setracker2 app to a version that uses a more secure signing algorithm (e.g., HMAC-SHA256) and enforce session rotation after authentication.

Original NVD description (English source)

The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID. With the session ID exposed, an attacker could impersonate the legitimate user and issue authenticated API requests.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS