phonepe CVE Vulnerabilities & Metrics

Focus on phonepe vulnerabilities and metrics.

Last updated: 29 Jun 2025, 22:25 UTC

About phonepe Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with phonepe. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total phonepe CVEs: 6
Earliest CVE date: 23 Sep 2018, 22:29 UTC
Latest CVE date: 25 May 2025, 19:15 UTC

Latest CVE reference: CVE-2025-5154

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0.0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical phonepe CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 2.3

Max CVSS: 4.3

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	4
4.0-6.9	2
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS phonepe CVEs

These are the five CVEs with the highest CVSS scores for phonepe, sorted by severity first and recency.

CVE-2018-17403 phonepe Published on 23 Sep 2018, 22:29 UTC (CVSS: 4.3)
The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to impersonate a user and set up their account without their knowledge. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users...
CVE-2018-17401 phonepe Published on 23 Sep 2018, 22:29 UTC (CVSS: 4.3)
The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to perform Account Takeover attacks by exploiting its Forgot Password feature. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to th...
CVE-2018-17402 phonepe Published on 23 Sep 2018, 22:29 UTC (CVSS: 2.6)
The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to discover the Credit/Debit card number, expiration date, and CVV number. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the us...
CVE-2025-5154 phonepe Published on 25 May 2025, 19:15 UTC (CVSS: 1.4)
A vulnerability, which was classified as problematic, was found in PhonePe App 25.03.21.0 on Android. Affected is an unknown function of the file /data/data/com.phonepe.app/databases/ of the component SQLite Database. The manipulation leads to cleartext storage in a file or on disk. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.
CVE-2018-17400 phonepe Published on 23 Sep 2018, 22:29 UTC (CVSS: 1.2)
The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to perform Account Takeover attacks by intercepting the user name and PIN during the initial configuration of the application. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that t...

All CVEs for phonepe

CVE-2025-5154 phonepe vulnerability CVSS: 1.4 25 May 2025, 19:15 UTC

A vulnerability, which was classified as problematic, was found in PhonePe App 25.03.21.0 on Android. Affected is an unknown function of the file /data/data/com.phonepe.app/databases/ of the component SQLite Database. The manipulation leads to cleartext storage in a file or on disk. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.

CVE-2022-45835 phonepe vulnerability CVSS: 0 13 Nov 2023, 03:15 UTC

Server-Side Request Forgery (SSRF) vulnerability in PhonePe PhonePe Payment Solutions.This issue affects PhonePe Payment Solutions: from n/a through 1.0.15.

CVE-2018-17403 phonepe vulnerability CVSS: 4.3 23 Sep 2018, 22:29 UTC

The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to impersonate a user and set up their account without their knowledge. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots

CVE-2018-17402 phonepe vulnerability CVSS: 2.6 23 Sep 2018, 22:29 UTC

The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to discover the Credit/Debit card number, expiration date, and CVV number. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots

CVE-2018-17401 phonepe vulnerability CVSS: 4.3 23 Sep 2018, 22:29 UTC

The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to perform Account Takeover attacks by exploiting its Forgot Password feature. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots

CVE-2018-17400 phonepe vulnerability CVSS: 1.2 23 Sep 2018, 22:29 UTC

The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to perform Account Takeover attacks by intercepting the user name and PIN during the initial configuration of the application. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots