CVE-2025-27599

Element X Android is a Matrix Android Client provided by element.io. Prior to version 25.04.2, a crafted hyperlink on a webpage, or a locally installed malicious app, can force Element X up to version 25.04.1 to load a webpage with similar permissions to Element Call and automatically grant it temporary access to microphone and camera. This issue has been patched in version 25.04.2.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/element-hq/element-x-android/commit/dc058544d7e693c04298191c1aadd5b39c9be52e
https://github.com/element-hq/element-x-android/releases/tag/v25.04.2
https://github.com/element-hq/element-x-android/security/advisories/GHSA-m5px-pwq3-4p5m

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Element X Android es un cliente Matrix para Android proporcionado por element.io. Antes de la versión 25.04.2, un hipervínculo manipulado en una página web o una aplicación maliciosa instalada localmente podían obligar a Element X (hasta la versión 25.04.1) a cargar una página web con permisos similares a Element Call y otorgarle automáticamente acceso temporal al micrófono y la cámara. Este problema se ha corregido en la versión 25.04.2.

18 Apr 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-18 16:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-27599

Mitre link : CVE-2025-27599

CVE.ORG link : CVE-2025-27599

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

CWE-926

Improper Export of Android Application Components

6.5 /10