CVE-2026-13514

Summary

A weakness has been identified in Chess Play and Learn App up to 4.9.42 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.chess. This manipulation causes exposure of backup file to an unauthorized control sphere. It is feasible to perform the attack on the physical device. The exploit has been made available to the public and could be used for attacks. Upgrading the affected component is advised. The vendor was informed early about this issue. They confirmed the existence and that they will address it. Furthermore, they explain that their bug bounty "explicitly excludes physical-access attacks". However, they appreciate the quality of the report and aim at making a goodwill payment to the researcher.

Affected Software

VendorProductVersion RangeStatus
ChessPlay and Learn App4.9.0affected
ChessPlay and Learn App4.9.1affected
ChessPlay and Learn App4.9.2affected
ChessPlay and Learn App4.9.3affected
ChessPlay and Learn App4.9.4affected
ChessPlay and Learn App4.9.5affected
ChessPlay and Learn App4.9.6affected
ChessPlay and Learn App4.9.7affected
ChessPlay and Learn App4.9.8affected
ChessPlay and Learn App4.9.9affected
ChessPlay and Learn App4.9.10affected
ChessPlay and Learn App4.9.11affected
ChessPlay and Learn App4.9.12affected
ChessPlay and Learn App4.9.13affected
ChessPlay and Learn App4.9.14affected
ChessPlay and Learn App4.9.15affected
ChessPlay and Learn App4.9.16affected
ChessPlay and Learn App4.9.17affected
ChessPlay and Learn App4.9.18affected
ChessPlay and Learn App4.9.19affected
ChessPlay and Learn App4.9.20affected
ChessPlay and Learn App4.9.21affected
ChessPlay and Learn App4.9.22affected
ChessPlay and Learn App4.9.23affected
ChessPlay and Learn App4.9.24affected
ChessPlay and Learn App4.9.25affected
ChessPlay and Learn App4.9.26affected
ChessPlay and Learn App4.9.27affected
ChessPlay and Learn App4.9.28affected
ChessPlay and Learn App4.9.29affected
ChessPlay and Learn App4.9.30affected
ChessPlay and Learn App4.9.31affected
ChessPlay and Learn App4.9.32affected
ChessPlay and Learn App4.9.33affected
ChessPlay and Learn App4.9.34affected
ChessPlay and Learn App4.9.35affected
ChessPlay and Learn App4.9.36affected
ChessPlay and Learn App4.9.37affected
ChessPlay and Learn App4.9.38affected
ChessPlay and Learn App4.9.39affected
ChessPlay and Learn App4.9.40affected
ChessPlay and Learn App4.9.41affected
ChessPlay and Learn App4.9.42affected

Weaknesses

  • CWE-530: Exposure of Backup File to an Unauthorized Control Sphere
  • CWE-285: Improper Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References