CVE-2026-26208 HIGH

CVE-2026-26208: ADB Explorer Vulnerable to Remote Code Execution via Insecure Deserialization

Vendor Alex4Ssb
Product ADB-Explorer
Weakness CWE-502 · Unsafe deserialization
Published February 13, 2026
Last update February 13, 2026

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

ADB Explorer is a fluent UI for ADB on Windows. Prior to Beta 0.9.26020, ADB Explorer is vulnerable to Insecure Deserialization leading to Remote Code Execution. The application attempts to deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set to Objects. This allows an attacker to supply a crafted JSON file containing a gadget chain (e.g., ObjectDataProvider) to execute arbitrary code when the application launches and subsequently saves its settings. This vulnerability is fixed in Beta 0.9.26020.

Key dates

02Disclosure timeline

February 13, 2026 CVE published
February 13, 2026 Record updated