{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30286", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-02T14:27:23.319Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-31T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-31T18:02:36.652Z"}, "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in Funambol, Inc. Zefiro Cloud v32.0.2026011614 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://secsys.fudan.edu.cn/"}, {"url": "https://play.google.com/store/apps/details?id=com.funambol.zefiro"}, {"url": "https://zefiro.me/"}, {"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/14"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T14:25:59.512724Z", "id": "CVE-2026-30286", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:27:23.319Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30286", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T14:25:59.512724Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:27:12.859Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://secsys.fudan.edu.cn/"}, {"url": "https://play.google.com/store/apps/details?id=com.funambol.zefiro"}, {"url": "https://zefiro.me/"}, {"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/14"}], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in Funambol, Inc. Zefiro Cloud v32.0.2026011614 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-31T18:02:36.652Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30286", "state": "PUBLISHED", "dateUpdated": "2026-04-02T14:27:23.319Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-31T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in Funambol, Inc. Zefiro Cloud v32.0.2026011614 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "id": "CVE-2026-30286", "lastModified": "2026-04-02T15:16:36.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-31T18:16:47.433", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Secsys-FDU/AF_CVEs/issues/14"}, {"source": "cve@mitre.org", "url": "https://play.google.com/store/apps/details?id=com.funambol.zefiro"}, {"source": "cve@mitre.org", "url": "https://secsys.fudan.edu.cn/"}, {"source": "cve@mitre.org", "url": "https://zefiro.me/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-31T19:51:17.895260+00:00", "value": {"mitigation_remediation": ["Verify whether your deployment matches the affected version\u202f32.0.2026011614 and apply an official patch or upgrade to a newer release as soon as it is available.", "If the file import feature is not required, disable or remove it to eliminate the vulnerable entry point.", "Restrict the import functionality to validated, whitelisted file types and enforce strict path checks to prevent unauthorized overwrites.", "Consult Funambol, Inc. support or the vendor\u2019s portal for the latest advisory and additional guidance."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Zefiro Cloud version\u202f32.0.2026011614, as distributed by Funambol, Inc. No other vendors or product lines are identified as impacted.", "description_and_impact": "An arbitrary file overwrite flaw exists in the file import process of Funambol, Inc. Zefiro Cloud, allowing an attacker to replace critical internal files. This capability can lead to execution of malicious code or exposure of sensitive information, compromising the system\u2019s confidentiality and integrity.", "risk_and_exploitability": "The only information about how the flaw can be exploited comes from the description, so the attack vector is inferred to involve sending an import file via the application's upload endpoint. It is unclear whether this action requires authentication, but the presence of an import feature suggests that some level of user access is needed. The CVSS scale value is not explicitly provided, but given the possibility of arbitrary code execution the risk is considered high. Exploit probability data (EPSS) is unavailable, and the error is not listed in the CISA KEV catalog, leaving actual exploitation likelihood uncertain. Nonetheless, the potential impact warrants fast remediation."}}}}, "created": "2026-03-31T19:56:47.925934+00:00", "title": "File Import Write Overwrite Leading to Remote Code Execution", "updated": "2026-03-31T19:56:47.925958+00:00", "vendors": [], "weaknesses": ["CWE-22", "CWE-434"]}