CVE-2026-9221
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID.
Risk Assessment
Exposure of the session ID allows an attacker to impersonate the legitimate user and issue authenticated API requests, potentially leading to unauthorized access to data and application functions.
Recommendation
Immediately update the Setracker2 app to a version that uses a more secure signing algorithm (e.g., HMAC-SHA256) and enforce session rotation after authentication.
Original NVD description (English source)
The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID. With the session ID exposed, an attacker could impersonate the legitimate user and issue authenticated API requests.

