GHSL-2026-102: Unauthorized exfiltration of decrypted attachments in Signal through Intent redirection

Versions >= v6.38.0 and < v8.4.2 of the website flavor of Signal for Android (distributed at https://signal.org/android/apk) allows another installed app without any permissions to exfiltrate decrypted attachments (photos, videos, documents, voice notes) by exploiting Intent redirection, potentially exposing sensitive user data.