Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
Assigner (CNA / source):[email protected] Remove this filter
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2025-27389 | A flaw exists in the verification of application installation sources within ColorOS. Under specific conditions, this issue may cause the risk detection mechanism to fail, which could allow malicious applications to be installed without proper warning. | 5.1 | 0.11% | 2025-12-05 | 2026-04-15 |
| CVE-2020-11836 | OPPO Android Phone with MTK chipset and Android 8.1/9/10/11 versions have an information leak vulnerability. The “adb shell getprop ro.vendor.aee.enforcing” or “adb shell getprop ro.vendor.aee.enforcing” return no. | 5.5 | 0.15% | 2021-02-06 | 2024-11-21 |
| CVE-2020-11835 | In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/charger_ic/oppo_da9313.c, failure to check the parameter buf in the function proc_work_mode_write in proc_work_mode_write causes a vulnerability. | 5.5 | 0.32% | 2020-12-31 | 2024-11-21 |
| CVE-2020-11834 | In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_vooc.c, the function proc_fastchg_fw_update_write in proc_fastchg_fw_update_write does not check the parameter len, resulting in a vulnerability. | 5.5 | 0.32% | 2020-12-31 | 2024-11-21 |
| CVE-2020-11833 | In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/charger_ic/oppo_mp2650.c, the function mp2650_data_log_write in mp2650_data_log_write does not check the parameter len which causes a vulnerability. | 5.5 | 0.32% | 2020-12-31 | 2024-11-21 |
| CVE-2020-11832 | In functions charging_limit_current_write and charging_limit_time_write in /SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_charger.c have not checked the parameters, which causes a vulnerability. | 5.5 | 0.32% | 2020-12-31 | 2024-11-21 |
| CVE-2026-22077 | OPPO Wallet APP contains a trusted domain validation flaw that allows attackers to bypass protected interface access restrictions, which may lead to account token hijacking and sensitive information disclosure. | 5.6 | 0.08% | 2026-04-27 | 2026-05-19 |
| CVE-2026-22070 | ColorOS Assistant has an unauthenticated start-download channel, leading to file path traversal. | 7.1 | 0.21% | 2026-04-30 | 2026-05-05 |
| CVE-2026-22069 | A local privilege escalation vulnerability exists in O+ Connect because it fails to validate the identity of the caller on the pipe interface. | 7.3 | 0.11% | 2026-05-19 | 2026-05-19 |
| CVE-2025-27387 | OPPO Clone Phone uses a weak password WiFi hotspot to transfer files, resulting in Information disclosure. | 7.4 | 0.24% | 2025-06-23 | 2026-04-15 |
| CVE-2023-26311 | A remote code execution vulnerability in the webview component of OPPO Store app. | 7.4 | 0.64% | 2023-08-10 | 2024-11-21 |
| CVE-2023-26310 | There is a command injection problem in the old version of the mobile phone backup app. | 7.4 | 0.95% | 2023-08-09 | 2024-11-21 |
| CVE-2023-26309 | A remote code execution vulnerability in the webview component of OnePlus Store app. | 7.4 | 0.64% | 2023-08-10 | 2024-11-21 |
| CVE-2021-23246 | In ACE2 ColorOS11, the attacker can obtain the foreground package name through permission promotion, resulting in user information disclosure. | 7.5 | 0.93% | 2022-03-11 | 2024-11-21 |
| CVE-2020-11828 | In ColorOS (oppo mobile phone operating system, based on AOSP frameworks/native code position/services/surfaceflinger surfaceflinger.CPP), RGB is defined on the stack but uninitialized, so when the screenShot function to RGB value assignment, will not initialize the value is returned to the attackers, leading to values on the stack information leakage, the vulnerability can be used to bypass attackers ALSR. | 7.5 | 1.17% | 2020-04-21 | 2024-11-21 |
| CVE-2021-23244 | ColorOS pregrant dangerous permissions to apps which are listed in a whitelist xml named default-grant-permissions.But some apps in whitelist is not installed, attacker can disguise app with the same package name to obtain dangerous permission. | 7.8 | 0.63% | 2021-12-27 | 2024-11-21 |
| CVE-2021-23243 | In Oppo's battery application, the third-party SDK provides the function of loading a third-party Provider, which can be used. | 7.8 | 0.11% | 2021-09-27 | 2024-11-21 |
| CVE-2025-27388 | Loading arbitrary external URLs through WebView components introduces malicious JS code that can steal arbitrary user tokens. | 8.3 | 0.36% | 2025-08-14 | 2026-04-15 |
| CVE-2024-1610 | In OPPO Store APP, there's a possible escalation of privilege due to improper input validation. | 8.7 | 0.66% | 2024-12-18 | 2026-04-15 |
| CVE-2024-1609 | In OPPOStore iOS App, there's a possible escalation of privilege due to improper input validation. | 8.7 | 0.46% | 2024-12-25 | 2026-04-15 |