CVE-2026-9222

PUBLISHED

Published: 25 Jun 2026, 23:29

Last modified:25 Jun 2026, 23:29

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.2 CRITICAL

v4.0 (cve.org)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

25 Jun 2026, 23:29

Published

Vulnerability first disclosed

Description

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow an attacker, who knows the hash, to authenticate and gain full access.

CVSS Metrics

v4.0•CRITICAL•Score: 9.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
v3.1•HIGH•Score: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Techniques & Countermeasures

CWE-836•Use of Password Hash Instead of Password for Authentication
The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.

Affected Systems

shenzhen i365-tech co. ltd.•setracker2 parental control app (android) package com.tgelec.setracker
≤ 3.1.5

References (1)

https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json