{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5471", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-03T07:37:53.776Z", "datePublished": "2026-04-03T15:45:10.403Z", "dateUpdated": "2026-04-04T03:17:50.783Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-03T15:45:10.403Z"}, "title": "Investory Toy Planet Trouble App app.investory.toyfactory google-services-desktop.json hard-coded key", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-321", "lang": "en", "description": "Use of Hard-coded Cryptographic Key"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-320", "lang": "en", "description": "Key Management Error"}]}], "affected": [{"vendor": "Investory", "product": "Toy Planet Trouble App", "versions": [{"version": "1.5.0", "status": "affected"}, {"version": "1.5.1", "status": "affected"}, {"version": "1.5.2", "status": "affected"}, {"version": "1.5.3", "status": "affected"}, {"version": "1.5.4", "status": "affected"}, {"version": "1.5.5", "status": "affected"}], "modules": ["app.investory.toyfactory"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Investory Toy Planet Trouble App up to 1.5.5 on Android. Impacted is an unknown function of the file assets/google-services-desktop.json of the component app.investory.toyfactory. The manipulation of the argument current_key results in use of hard-coded cryptographic key\r . The attack must be initiated from a local position. The exploit is now public and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-03T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-03T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-03T09:42:59.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "fxizenta (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/355075", "name": "VDB-355075 | Investory Toy Planet Trouble App app.investory.toyfactory google-services-desktop.json hard-coded key", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355075/cti", "name": "VDB-355075 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781784", "name": "Submit #781784 | INVESTORY Investory(app.investory.toyfactory) 1.5.5 Firebase API Key Exposure", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/Firebase-API-Key-Exposure-Leading-to-Unauthorized-Anonymous-Authentication-and-Data-Access-in-app-in-3262de3f97fb80f1abe6fb5f3eb373bc?source=copy_link", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-04T03:17:37.607495Z", "id": "CVE-2026-5471", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:17:50.783Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5471", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-04T03:17:37.607495Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:17:46.469Z"}}], "cna": {"title": "Investory Toy Planet Trouble App app.investory.toyfactory google-services-desktop.json hard-coded key", "credits": [{"lang": "en", "type": "reporter", "value": "fxizenta (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Investory", "modules": ["app.investory.toyfactory"], "product": "Toy Planet Trouble App", "versions": [{"status": "affected", "version": "1.5.0"}, {"status": "affected", "version": "1.5.1"}, {"status": "affected", "version": "1.5.2"}, {"status": "affected", "version": "1.5.3"}, {"status": "affected", "version": "1.5.4"}, {"status": "affected", "version": "1.5.5"}]}], "timeline": [{"lang": "en", "time": "2026-04-03T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-03T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-03T09:42:59.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355075", "name": "VDB-355075 | Investory Toy Planet Trouble App app.investory.toyfactory google-services-desktop.json hard-coded key", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355075/cti", "name": "VDB-355075 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781784", "name": "Submit #781784 | INVESTORY Investory(app.investory.toyfactory) 1.5.5 Firebase API Key Exposure", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/Firebase-API-Key-Exposure-Leading-to-Unauthorized-Anonymous-Authentication-and-Data-Access-in-app-in-3262de3f97fb80f1abe6fb5f3eb373bc?source=copy_link", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Investory Toy Planet Trouble App up to 1.5.5 on Android. Impacted is an unknown function of the file assets/google-services-desktop.json of the component app.investory.toyfactory. The manipulation of the argument current_key results in use of hard-coded cryptographic key\r . The attack must be initiated from a local position. The exploit is now public and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "Use of Hard-coded Cryptographic Key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-320", "description": "Key Management Error"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-03T15:45:10.403Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5471", "state": "PUBLISHED", "dateUpdated": "2026-04-04T03:17:50.783Z", "dateReserved": "2026-04-03T07:37:53.776Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-03T15:45:10.403Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Investory Toy Planet Trouble App up to 1.5.5 on Android. Impacted is an unknown function of the file assets/google-services-desktop.json of the component app.investory.toyfactory. The manipulation of the argument current_key results in use of hard-coded cryptographic key\r . The attack must be initiated from a local position. The exploit is now public and may be used."}], "id": "CVE-2026-5471", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 1.7, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-03T16:16:45.540", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/781784"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355075"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355075/cti"}, {"source": "cna@vuldb.com", "url": "https://www.notion.so/Firebase-API-Key-Exposure-Leading-to-Unauthorized-Anonymous-Authentication-and-Data-Access-in-app-in-3262de3f97fb80f1abe6fb5f3eb373bc?source=copy_link"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-320"}, {"lang": "en", "value": "CWE-321"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.5.0,1.5.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Toy Planet Trouble App", "source": "cna", "vendor": "Investory"}, "product": "toy_planet_trouble_app", "vendor": "investory"}], "analysis": {"en": {"generated_at": "2026-04-03T19:20:41.595480+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor patch for Investory\u202fToy Planet Trouble App (upgrade to a version newer than\u202f1.5.5 if available).", "If no patch is available, uninstall the application or restrict its installation to trusted devices.", "Ensure that devices run reproducible builds and verify the integrity of asset files as part of device hardening procedures."], "summary": {"action": "Patch", "impact": "Unauthorized data exposure"}, "threat_synthesis": {"affected_systems": "The affected product is the Investory:Toy Planet Trouble App for Android, versions up to and including\u202f1.5.5. The component specifically impacted is\u202fapp.investory.toyfactory; no other vendors or products are listed.", "description_and_impact": "A vulnerability exists in the Android release of the Investory Toy Planet Trouble App up to version\u202f1.5.5. The flaw lies in the assets file\u202fgoogle\u2011services\u2011desktop.json, where manipulation of the\u202fcurrent_key\u202fparameter results in the app using a hard\u2011coded cryptographic key. This exposes cryptographic material that could be used to decrypt stored data or forge authentication tokens. The weakness is associated with CWE\u2011320 (Use of Hard\u2011coded Cryptography) and CWE\u2011321 (Use of Predictably Generated Keys). The primary impact is a potential loss of confidentiality and integrity for user data stored or transmitted by the app.", "risk_and_exploitability": "The CVSS score of\u202f4.8 indicates moderate severity. The exploit requires a local attack, meaning the attacker must have physical or local access to the device to modify the argument. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves local manipulation of the asset file, allowing an attacker to leverage the hard\u2011coded key to compromise data confidentiality and integrity."}}}}, "created": "2026-04-03T21:12:59.976978+00:00", "updated": "2026-04-03T21:15:12.297730+00:00", "vendors": ["investory", "investory$PRODUCT$toy_planet_trouble_app"]}