CVE-2026-9222 | Setracker2 Android Companion App com.tgelec.setracker versio… | CVSS 8.1 HIGH

Description

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow an attacker, who knows the hash, to authenticate and gain full access.

Metadata

CVE ID: CVE-2026-9222
State: PUBLISHED
Assigner: icscert
Reserved: 2026-05-21 17:34 UTC
Published: 2026-06-25 23:29 UTC
Last updated: 2026-06-25 23:29 UTC
Primary CWE: CWE-836
CWE-836 Use of password hash instead of password for authent…
Vendor / Product: Shenzhen i365-Tech Co. Ltd. / Setracker2 Parental Control App (Android) package com.tgelec.setracker
Sources: cve.org · NVD

Severity & Metrics

8.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
Shenzhen i365-Tech Co. Ltd.	Setracker2 Parental Control App (Android) package com.tgelec.setracker	—	0 ≤ 3.1.5

Weakness (CWE)

CWE	Source	Description
CWE-836	cna	CWE-836 Use of password hash instead of password for authentication

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.2	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
8.1	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json