CVE-2026-30286

Critical

Published: 31 March 2026

Published

31 March 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 34.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An arbitrary file overwrite vulnerability in Funambol, Inc. Zefiro Cloud v32.0.2026011614 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates file paths and destinations in the import process to directly prevent path traversal enabling arbitrary file overwrites.

SI-9 Information Input Restrictions good match

prevent

Restricts file import inputs from being directed to critical internal system areas, blocking unauthorized overwrites.

SI-7 Software, Firmware, and Information Integrity good match

preventdetect

Verifies integrity of critical files and software to prevent execution of overwritten code and detect unauthorized modifications via file import.

Security SummaryAI

CVE-2026-30286, published on 2026-03-31, is an arbitrary file overwrite vulnerability classified under CWE-22 in Funambol, Inc.'s Zefiro Cloud version 32.0.2026011614. The issue resides in the file import process, which attackers can abuse to overwrite critical internal files. This flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Remote attackers require no authentication or user interaction to exploit the vulnerability over the network with low complexity. Successful exploitation allows overwriting of critical files, leading to arbitrary code execution or information exposure, with high impacts on confidentiality, integrity, and availability.

References include a GitHub issue at https://github.com/Secsys-FDU/AF_CVEs/issues/14 detailing the vulnerability, the Zefiro app listing on Google Play at https://play.google.com/store/apps/details?id=com.funambol.zefiro, the Secsys Fudan site at https://secsys.fudan.edu.cn/, and the Zefiro site at https://zefiro.me/. No specific patch or mitigation details are provided in the available information.

Details

CWE(s): CWE-22

Affected Products

funambol

zefiro

32.0.2026011614

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Arbitrary file overwrite in public-facing cloud service (Zefiro Cloud) enables remote unauthenticated exploitation leading to code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Secsys-FDU/AF_CVEs/issues/14
Third Party Advisory · cve@mitre.org
https://play.google.com/store/apps/details?id=com.funambol.zefiro
Product · cve@mitre.org
https://secsys.fudan.edu.cn/
Not Applicable · cve@mitre.org
https://zefiro.me/
Product · cve@mitre.org