{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-9222: Setracker2 Children's Smartwatch Ecosystem Use of password hash instead of password for authentication","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-9222","status":"final","version":"1","initial_release_date":"2026-06-25T23:29:03.046Z","current_release_date":"2026-06-25T23:29:03.046Z","revision_history":[{"date":"2026-06-25T23:29:03.046Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow an attacker, who knows the hash, to authenticate and gain full access.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-9222 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-9222"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-9222"},{"category":"external","summary":"raw.githubusercontent.com","url":"https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json"}]},"product_tree":{"branches":[{"category":"vendor","name":"Shenzhen i365-Tech Co. Ltd.","branches":[{"category":"product_name","name":"Setracker2 Parental Control App (Android) package com.tgelec.setracker","branches":[{"category":"product_version_range","name":"<=3.1.5","product":{"name":"Shenzhen i365-Tech Co. Ltd. Setracker2 Parental Control App (Android) package com.tgelec.setracker <=3.1.5","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:shenzhen_i365-tech_co._ltd.:setracker2_parental_control_app_\\(android\\)_package_com.tgelec.setracker:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-9222","title":"Setracker2 Children's Smartwatch Ecosystem Use of password hash instead of password for authentication","notes":[{"category":"description","text":"Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow an attacker, who knows the hash, to authenticate and gain full access.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","baseScore":9.2,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}