Oppo Oppo

  1. Vendors
  2. Oppo

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Oppo product.

RSS Feeds for Oppo security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Oppo products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Oppo Sorted by Most Security Vulnerabilities since 2018

Oppo Coloros6 vulnerabilities

Oppo Store1 vulnerability

Oppo Ovoicemanager1 vulnerability

Oppo Qualityprotect1 vulnerability

Oppo Quick App1 vulnerability

Oppo Usercenter Credit Software Development Kit1 vulnerability

By the Year

In 2026 there have been 3 vulnerabilities in Oppo with an average score of 7.2 out of ten. Last year, in 2025 Oppo had 2 security vulnerabilities published. That is, 1 more vulnerability have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.20




Year Vulnerabilities Average Score
2026 3 7.20
2025 2 7.40
2024 1 7.50
2023 2 9.80
2022 1 9.80
2021 1 7.80
2020 4 0.00

It may take a day or so for new Oppo vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Oppo Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-22069 May 19, 2026
LOCAL PRIV ESCALATION IN O+ CONNECT PIPE AUTHENTICATION A local privilege escalation vulnerability exists in O+ Connect because it fails to validate the identity of the caller on the pipe interface.
CVE-2026-22070 Apr 30, 2026
ColorOS Assistant LFI via Unauth Start-Download ColorOS Assistant has an unauthenticated start-download channel, leading to file path traversal.
CVE-2026-22077 Apr 27, 2026
OPPO Wallet App Trusted Domain Flaw Bypasses Access, Enables Token Hijack OPPO Wallet APP contains a trusted domain validation flaw that allows attackers to bypass protected interface access restrictions, which may lead to account token hijacking and sensitive information disclosure.
CVE-2025-27389 Dec 05, 2025
ColorOS App Source Verification Bypass Enables Rogue App Install A flaw exists in the verification of application installation sources within ColorOS. Under specific conditions, this issue may cause the risk detection mechanism to fail, which could allow malicious applications to be installed without proper warning.
Coloros
CVE-2025-27387 Jun 23, 2025
OPPO Clone Phone WiFi hotspot weak pass leads to Info disclosure OPPO Clone Phone uses a weak password WiFi hotspot to transfer files, resulting in Information disclosure.
Coloros
CVE-2024-1608 Feb 20, 2024
OPPO Usercenter Credit SDK Privilege Escalation via Loose Permission In OPPO Usercenter Credit SDK, there's a possible escalation of privilege due to loose permission check, This could lead to application internal information leak w/o user interaction.
Usercenter Credit Software Development Kit
CVE-2023-26311 Aug 10, 2023
RCE in OPPO Store App WebView (Android) A remote code execution vulnerability in the webview component of OPPO Store app.
Oppo Store
CVE-2023-26310 Aug 09, 2023
Command Injection in Mobile Phone Backup App There is a command injection problem in the old version of the mobile phone backup app.
Coloros
CVE-2021-23247 Apr 01, 2022
A command injection vulerability found in quick game engine allows arbitrary remote code in quick app A command injection vulerability found in quick game engine allows arbitrary remote code in quick app. Allows remote attacke0rs to gain arbitrary code execution in quick game engine
Quick App
CVE-2021-23244 Dec 27, 2021
ColorOS pregrant dangerous permissions to apps ColorOS pregrant dangerous permissions to apps which are listed in a whitelist xml named default-grant-permissions.But some apps in whitelist is not installed, attacker can disguise app with the same package name to obtain dangerous permission.
Coloros
CVE-2020-11829 Nov 19, 2020
Dynamic loading of services in the backup and restore SDK leads to elevated privileges Dynamic loading of services in the backup and restore SDK leads to elevated privileges, affected product is com.coloros.codebook V2.0.0_5493e40_200722.
Coloros
CVE-2020-11830 Nov 19, 2020
QualityProtect has a vulnerability to execute arbitrary system commands QualityProtect has a vulnerability to execute arbitrary system commands, affected product is com.oppo.qualityprotect V2.0.
Qualityprotect
CVE-2020-11831 Nov 19, 2020
OvoiceManager has system permission to write vulnerability reports for arbitrary files OvoiceManager has system permission to write vulnerability reports for arbitrary files, affected product is com.oppo.ovoicemanager V2.0.1.
Ovoicemanager
CVE-2020-11828 Apr 21, 2020
In ColorOS (oppo mobile phone operating system, based on AOSP frameworks/native code position/services/surfaceflinger surfaceflinger.CPP), RGB is defined on the stack but uninitialized, so when the screenShot function to RGB value assignment, will not initialize the value is returned to the attackers, leading to values on the stack information leakage, the vulnerability In ColorOS (oppo mobile phone operating system, based on AOSP frameworks/native code position/services/surfaceflinger surfaceflinger.CPP), RGB is defined on the stack but uninitialized, so when the screenShot function to RGB value assignment, will not initialize the value is returned to the attackers, leading to values on the stack information leakage, the vulnerability can be used to bypass attackers ALSR.
Coloros
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.