CWE-939— Improper Authorization in Handler for Custom URL Scheme
The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.— MITRE CWE catalog
23 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-939page 1 of 1
- CVE-2020-11000MEDIUMCVSS 5.7EG 5.72020-04-08
GreenBrowser before version 1.2 has a vulnerability where apps that rely on URL Parsing to verify that a given URL is pointing to a trust server may be susceptible to many different ways to get URL parsing and verification wrong, which all…
- CVE-2021-31384HIGHCVSS 7.2EG 7.22021-10-19
Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an attacker who attempts to access J-Web a…
- CVE-2022-20736MEDIUMCVSS 5.3EG 5.32022-06-15
A vulnerability in the web-based management interface of Cisco AppDynamics Controller Software could allow an unauthenticated, remote attacker to access a configuration file and the login page for an administrative console that they would …
- CVE-2023-43582HIGHCVSS 8.8EG 5.52023-11-15
Improper authorization in some Zoom clients may allow an authorized user to conduct an escalation of privilege via network access.
- CVE-2024-33606HIGHCVSS 8.8EG 8.82024-06-11
An attacker could retrieve sensitive files (medical images) as well as plant new medical images or overwrite existing medical images on a MicroDicom DICOM Viewer system. User interaction is required to exploit this vulnerability.
- CVE-2024-35298MEDIUMCVSS 4.3EG 4.32024-06-19
Improper authorization in handler for custom URL scheme issue in 'ZOZOTOWN' App for Android versions prior to 7.39.6 allows an attacker to lead a user to access an arbitrary website via another application installed on the user's device. A…
- CVE-2024-41918MEDIUMCVSS 6.1EG 3.12024-08-29
'Rakuten Ichiba App' for Android 12.4.0 and earlier and 'Rakuten Ichiba App' for iOS 11.7.0 and earlier are vulnerable to improper authorization in handler for custom URL scheme. An arbitrary site may be displayed on the WebView of the pro…
- CVE-2024-45203MEDIUMCVSS 4.3EG 4.32024-09-09
Improper authorization in handler for custom URL scheme issue in "@cosme" App for Android versions prior 5.69.0 and "@cosme" App for iOS versions prior to 6.74.0 allows an attacker to lead a user to access an arbitrary website via the vuln…
- CVE-2024-54014LOWCVSS 3.6EG 3.62024-12-05
Improper authorization in handler for custom URL scheme issue in 'Skylark' App for Android 6.2.13 and earlier and 'Skylark' App for iOS 6.2.13 and earlier allows an attacker to lead the application to access an arbitrary web site via anoth…
- CVE-2024-54125LOWCVSS 3.3EG 3.32024-12-17
Improper authorization in handler for custom URL scheme issue in "Shonen Jump+" App for Android versions prior to 4.0.0 allows an attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may beco…
- CVE-2025-41408MEDIUMCVSS 4.3EG 4.32025-09-05
Improper authorization in handler for custom URL scheme issue in "Yahoo! Shopping" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As …
- CVE-2025-5020MEDIUMCVSS 4.3EG 4.32025-05-21
Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client. This vulnerability was fixe…
- CVE-2025-67739LOWCVSS 3.1EG 3.12025-12-11
In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure
- CVE-2026-1046HIGHCVSS 7.6EG 7.62026-02-16
Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Matte…
- CVE-2026-12065LOWCVSS 1.8EG 1.82026-06-12
A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url s…
- CVE-2026-12189MEDIUMCVSS 5.3EG 5.32026-06-14
A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android. This affects an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in handler for custom url scheme. The attack…
- CVE-2026-12190MEDIUMCVSS 5.3EG 5.32026-06-14
A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android. This vulnerability affects unknown code of the component ai.mainfunc.genspark. The manipulation leads to improper authorization in handler for custom url scheme.…
- CVE-2026-26123MEDIUMCVSS 5.5EG 5.52026-03-10
Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.
- CVE-2026-3471MEDIUMCVSS 6.5EG 6.52026-05-18
Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.…
- CVE-2026-35394HIGHCVSS 8.3EG 8.32026-04-06
Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of …
- CVE-2026-53407CRITICALCVSS 9.8EG 8.12026-06-12
Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.
- CVE-2026-53408HIGHCVSS 8.1EG 8.12026-06-12
Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.
- CVE-2026-6445HIGHCVSS 8.7EG 8.72026-06-09
A flaw exists in FlashArray Purity where insufficient filtering of certain data paths could expose sensitive information to an authenticated user with low privileges.
Map vulnerabilities like CWE-939 to your infrastructure
EchelonGraph correlates every CVE — across CWE-939 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →