彙總 oppo 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
歷史漏洞主要涉及 記憶體損壞與路徑處理缺陷 等問題,部分漏洞可能導致 記憶體損壞,並影響 生產負載與軟體部署 相關場景。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-22070 | ColorOS Assistant has an unauthenticated start-download channel, leading to file path traversal. | [email protected] | 7.1 | 0.21% | 2026-04-30 | 2026-06-17 |
| CVE-2024-1608 | In OPPO Usercenter Credit SDK, there's a possible escalation of privilege due to loose permission check, This could lead to application internal information leak w/o user interaction. | [email protected] | 9.1 | 0.46% | 2024-02-20 | 2026-06-17 |
| CVE-2023-26311 | A remote code execution vulnerability in the webview component of OPPO Store app. | [email protected] | 7.4 | 0.64% | 2023-08-10 | 2026-06-17 |
| CVE-2023-26310 | There is a command injection problem in the old version of the mobile phone backup app. | [email protected] | 7.4 | 0.95% | 2023-08-09 | 2026-06-17 |
| CVE-2021-23247 | A command injection vulerability found in quick game engine allows arbitrary remote code in quick app. Allows remote attacke0rs to gain arbitrary code execution in quick game engine | [email protected] | 9.8 | 1.69% | 2022-04-01 | 2026-06-16 |
| CVE-2021-23246 | In ACE2 ColorOS11, the attacker can obtain the foreground package name through permission promotion, resulting in user information disclosure. | [email protected] | 7.5 | 0.93% | 2022-03-11 | 2026-06-16 |
| CVE-2021-23244 | ColorOS pregrant dangerous permissions to apps which are listed in a whitelist xml named default-grant-permissions.But some apps in whitelist is not installed, attacker can disguise app with the same package name to obtain dangerous permission. | [email protected] | 7.8 | 0.63% | 2021-12-27 | 2026-06-16 |
| CVE-2020-11835 | In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/charger_ic/oppo_da9313.c, failure to check the parameter buf in the function proc_work_mode_write in proc_work_mode_write causes a vulnerability. | [email protected] | 5.5 | 0.32% | 2020-12-31 | 2026-06-16 |
| CVE-2020-11834 | In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_vooc.c, the function proc_fastchg_fw_update_write in proc_fastchg_fw_update_write does not check the parameter len, resulting in a vulnerability. | [email protected] | 5.5 | 0.32% | 2020-12-31 | 2026-06-16 |
| CVE-2020-11833 | In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/charger_ic/oppo_mp2650.c, the function mp2650_data_log_write in mp2650_data_log_write does not check the parameter len which causes a vulnerability. | [email protected] | 5.5 | 0.32% | 2020-12-31 | 2026-06-16 |
| CVE-2020-11832 | In functions charging_limit_current_write and charging_limit_time_write in /SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_charger.c have not checked the parameters, which causes a vulnerability. | [email protected] | 5.5 | 0.32% | 2020-12-31 | 2026-06-16 |
| CVE-2020-11831 | OvoiceManager has system permission to write vulnerability reports for arbitrary files, affected product is com.oppo.ovoicemanager V2.0.1. | [email protected] | 9.8 | 1.37% | 2020-11-19 | 2026-06-16 |
| CVE-2020-11830 | QualityProtect has a vulnerability to execute arbitrary system commands, affected product is com.oppo.qualityprotect V2.0. | [email protected] | 9.8 | 1.45% | 2020-11-19 | 2026-06-16 |
| CVE-2020-11829 | Dynamic loading of services in the backup and restore SDK leads to elevated privileges, affected product is com.coloros.codebook V2.0.0_5493e40_200722. | [email protected] | 9.8 | 1.14% | 2020-11-19 | 2026-06-16 |
| CVE-2020-11828 | In ColorOS (oppo mobile phone operating system, based on AOSP frameworks/native code position/services/surfaceflinger surfaceflinger.CPP), RGB is defined on the stack but uninitialized, so when the screenShot function to RGB value assignment, will not initialize the value is returned to the attackers, leading to values on the stack information leakage, the vulnerability can be used to bypass attackers ALSR. | [email protected] | 7.5 | 1.17% | 2020-04-21 | 2026-06-16 |
| CVE-2018-14996 | The Oppo F5 Android device with a build fingerprint of OPPO/CPH1723/CPH1723:7.1.1/N6F26Q/1513597833:user/release-keys contains a pre-installed platform app with a package name of com.dropboxchmod (versionCode=1, versionName=1.0) that contains an exported service named com.dropboxchmod.DropboxChmodService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-per | [email protected] | 7.8 | 0.52% | 2019-04-25 | 2026-06-16 |