CVE-2026-5471

Summary

A vulnerability was detected in Investory Toy Planet Trouble App up to 1.5.5 on Android. Impacted is an unknown function of the file assets/google-services-desktop.json of the component app.investory.toyfactory. The manipulation of the argument current_key results in use of hard-coded cryptographic key . The attack must be initiated from a local position. The exploit is now public and may be used.

Affected Software

VendorProductVersion RangeStatus
InvestoryToy Planet Trouble App1.5.0affected
InvestoryToy Planet Trouble App1.5.1affected
InvestoryToy Planet Trouble App1.5.2affected
InvestoryToy Planet Trouble App1.5.3affected
InvestoryToy Planet Trouble App1.5.4affected
InvestoryToy Planet Trouble App1.5.5affected

Weaknesses

  • CWE-321: Use of Hard-coded Cryptographic Key
  • CWE-320: Key Management Error

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References