{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30278", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-02T14:19:48.538Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-31T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-31T17:07:59.044Z"}, "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in FLY is FUN Aviation Navigation v35.33 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://fly.com"}, {"url": "https://secsys.fudan.edu.cn/"}, {"url": "http://www.funair.cz/forum"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T14:18:56.315400Z", "id": "CVE-2026-30278", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:19:48.538Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30278", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T14:18:56.315400Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:19:41.943Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://fly.com"}, {"url": "https://secsys.fudan.edu.cn/"}, {"url": "http://www.funair.cz/forum"}], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in FLY is FUN Aviation Navigation v35.33 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-31T17:07:59.044Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30278", "state": "PUBLISHED", "dateUpdated": "2026-04-02T14:19:48.538Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-31T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in FLY is FUN Aviation Navigation v35.33 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "id": "CVE-2026-30278", "lastModified": "2026-04-02T15:16:35.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-31T18:16:46.863", "references": [{"source": "cve@mitre.org", "url": "http://fly.com"}, {"source": "cve@mitre.org", "url": "http://www.funair.cz/forum"}, {"source": "cve@mitre.org", "url": "https://secsys.fudan.edu.cn/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-31T18:51:01.631982+00:00", "value": {"mitigation_remediation": ["Check with the vendor for a patch that addresses the import\u2010related overwrite bug", "If a patch is unavailable or delayed, temporarily disable the file import feature or restrict it to trusted users only", "Configure filesystem permissions so that import processes cannot overwrite critical configuration files", "Actively monitor system logs for anomalous file modifications or attempts to upload files with unexpected paths", "Consider network segmentation or firewall rules to limit external access to the import endpoint"], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution via File Overwrite"}, "threat_synthesis": {"affected_systems": "This vulnerability is present in FLY is FUN Aviation Navigation version 35.33. No other affected versions are documented in the available data.", "description_and_impact": "The flaw allows an attacker to overwrite critical internal files during the file import process, which can lead to arbitrary code execution or the exposure of sensitive information. The likely attack vector is through the import interface, where an attacker submits a crafted file that directs the system to write over protected files.", "risk_and_exploitability": "Based on the description, it is inferred that an attacker who can reach the import functionality\u2014potentially over a network\u2014could exploit the overwrite to inject malicious code with the privileges of the application. The absence of a CVSS or EPSS score means the exact severity and exploitation probability cannot be quantified from the supplied data, but the potential for remote code execution and data leakage suggests a high risk. The vulnerability is not listed in the CISA KEV catalog, so there is no publicly known exploited exploit at this time, but the attack surface is presumably accessible if the import endpoint is exposed."}}}}, "created": "2026-03-31T19:56:51.626969+00:00", "title": "Arbitrary File Overwrite Vulnerability in FLY is FUN Aviation Navigation v35.33", "updated": "2026-03-31T19:56:51.626994+00:00", "vendors": [], "weaknesses": ["CWE-22"]}