MEDIUM 6.1

CVE-2026-10510: XSS in Transsion AI Assistant Lifestyle Android App – MEDIUM Risk

A cross-site scripting (XSS) vulnerability exists in the GeniexWebView component of Transsion's AI Assistant Lifestyle application for Android. An attacker can craft a malicious URL containing injected JavaScript code in the web_action_data parameter, which the vulnerable WebView will execute with the same privileges as the application. This allows arbitrary JavaScript execution in the context of the app, potentially compromising user data or enabling phishing attacks. The vulnerability affects all versions of the application currently in distribution.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

Cross-Site Scripting (XSS) in GeniexWebView component in Transsion AI Assistant Lifestyle application (com.transsion.aiassistantlifestyle) all versions on Android allows remote attacker to execute arbitrary JavaScript in the WebView context via crafted web_action_data URL parameter.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10510 is a reflected XSS vulnerability (CWE-79) in the GeniexWebView component of com.transsion.aiassistantlifestyle. The flaw stems from insufficient input validation or sanitization of the web_action_data URL parameter before rendering content in a WebView. An unauthenticated remote attacker can deliver a crafted URL to a user, causing arbitrary JavaScript to execute with the WebView's security context. The CVSS 3.1 score of 6.1 (MEDIUM severity) reflects the requirement for user interaction, network accessibility, and the limited impact scope (no system-level availability compromise, though confidentiality and integrity are at risk).

Business impact

Users of the Transsion AI Assistant Lifestyle application face potential unauthorized access to session data, cached credentials, or sensitive user information accessible to the app. An attacker could inject malicious JavaScript to redirect users to phishing pages, capture form inputs, or perform actions on behalf of the user (such as modifying settings or exfiltrating cached data). The attack requires user interaction (clicking a link), limiting but not eliminating the risk. For organizations whose employees or customers use this application, the vulnerability represents a supply-chain risk and potential vector for social engineering attacks.

Affected systems

The vulnerability affects all versions of the Transsion AI Assistant Lifestyle application (package name: com.transsion.aiassistantlifestyle) on Android. Transsion is a Chinese mobile brand with significant market share in emerging markets, particularly Africa, so the user base may be substantial in certain regions. Any Android device running any version of this app is vulnerable to XSS attacks delivered through the web_action_data parameter.

Exploitability

Exploitability is moderate. The attack requires an attacker to craft and deliver a malicious URL to a target user (via phishing email, social engineering, or malicious website). The user must click or tap the link for the JavaScript to execute. There is no evidence of active exploitation in the wild (the vulnerability is not on the KEV catalog), nor do we have confirmed proof-of-concept code in public repositories. However, the simplicity of XSS attacks and the common nature of WebView misconfigurations mean exploitation is straightforward once a researcher or attacker understands the vulnerable parameter. No special privileges or advanced knowledge is required.

Remediation

Transsion must release a patched version of the application that properly sanitizes and validates all user-supplied input, particularly the web_action_data parameter, before passing it to WebView rendering functions. Input should be strictly validated against an allowlist of expected values or URL schemes, and any dynamic content should be escaped or encoded. Additionally, enabling WebView security features (such as disabling JavaScript execution if not essential, using Content Security Policy headers, or sandboxing) would reduce the attack surface. Users should update to the patched version as soon as it becomes available.

Patch guidance

Monitor Transsion's official channels and app stores (Google Play, Transsion's regional app stores) for a security update to com.transsion.aiassistantlifestyle. When an update is released, verify the vendor advisory or release notes confirm that the XSS vulnerability has been addressed. Deploy the patched version across your organization or user base as part of your standard app update process. Given the ease of exploitation and user-facing nature, prioritize this update for timely deployment once available.

Detection guidance

On Android devices, monitor for anomalous WebView activity or unexpected JavaScript execution within the application. Network detection is limited, as the attack vector is primarily the URL parameter itself. However, security teams can: (1) block or monitor suspicious URLs containing encoded or obfuscated JavaScript in the web_action_data parameter if the app is accessed through a proxy or MDM; (2) use Android Enterprise policies to restrict app permissions where feasible; (3) educate users to avoid clicking suspicious links or links from untrusted sources that reference this app. Application-level logging or debugging on test devices can help identify the exact parameter and injection point.

Why prioritize this

Although rated MEDIUM severity, this vulnerability should be prioritized for remediation due to its ease of exploitation, widespread applicability (all app versions), and user-facing risk. The requirement for user interaction does not significantly reduce urgency in environments where social engineering is a known threat vector. The lack of KEV status does not indicate low risk; it reflects that active exploitation has not yet been reported to CISA. Early patching limits the window of opportunity for attackers.

Risk score, explained

The CVSS 3.1 score of 6.1 reflects: (1) Network attack vector (high ease of delivery); (2) Low attack complexity (XSS is a well-understood attack class); (3) No privileges required (unauthenticated attacker); (4) Required user interaction (user must click link, slightly reduces score); (5) Changed scope (JavaScript executes in WebView context, affecting more than just the app's isolated data); (6) Low confidentiality impact (information disclosure, not complete breach); (7) Low integrity impact (ability to modify content or perform actions within the app); (8) No availability impact (denial of service not possible). The score balances ease of exploitation against the limited scope and impact of XSS within a single app component.

Frequently asked questions

Can this vulnerability be exploited without user action?

No. The attacker must craft a malicious URL containing the XSS payload in the web_action_data parameter and trick or socially engineer a user into clicking or opening that link. The WebView will only render and execute the injected JavaScript if the user interacts with the link. This requirement for user interaction is reflected in the CVSS score.

What versions of the Transsion AI Assistant Lifestyle app are vulnerable?

All currently known versions of com.transsion.aiassistantlifestyle for Android are vulnerable. Transsion has not yet released a patch. Monitor official app store listings and Transsion's security advisories for a patched version.

Is this vulnerability actively being exploited?

There is no evidence of active exploitation or public proof-of-concept code at this time. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog. However, XSS vulnerabilities are commonly exploited once disclosed, so prompt patching is recommended.

How can I reduce risk if I cannot update immediately?

Educate users to avoid clicking links from untrusted sources, especially those containing URL parameters they do not recognize. Consider using Mobile Device Management (MDM) to restrict app permissions or monitor app behavior. If your organization does not rely on this app for business-critical functions, consider disabling it until a patch is available.

This analysis is based on publicly disclosed vulnerability data and CVE records as of the publication date. Transsion may have released patches or security updates after this advisory was written; always verify against the vendor's official security advisories and app store listings before deploying patches. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and recommends organizations conduct their own risk assessment based on their specific environment and user base. No exploit code or proof-of-concept is provided or endorsed herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).