Cyber Resilience

CVE-2026-30278

Critical

Published: 31 March 2026

Published
31 March 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0058 43.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30278 is a critical-severity Path Traversal (CWE-22) vulnerability in Funair Fly Is Fun. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30278 is an arbitrary file overwrite vulnerability in FLY is FUN Aviation Navigation version 35.33. The issue, tied to CWE-22 (path traversal), occurs in the file import process, enabling attackers to overwrite critical internal files. This can result in arbitrary code execution or information exposure. Published on 2026-03-31, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Unauthenticated remote attackers can exploit the vulnerability over the network with low attack complexity and no user interaction required. By manipulating the file import mechanism, they can target and overwrite essential system files, achieving arbitrary code execution to gain control of the affected application or server, or exposing sensitive data through file manipulation.

Mitigation details and patches are referenced in advisories at http://fly.com, http://www.funair.cz/forum, and https://secsys.fudan.edu.cn/. Security practitioners should consult these sources for vendor-specific remediation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An arbitrary file overwrite vulnerability in FLY is FUN Aviation Navigation v35.33 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes an unauthenticated remote network exploit against a file import feature in a publicly reachable application, directly matching the definition of T1190 (Exploit Public-Facing Application). The path-traversal file overwrite primitive yields arbitrary code execution and data exposure as direct consequences of successful exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2505Shared CWE-22
CVE-2026-5841Shared CWE-22
CVE-2026-33242Shared CWE-22
CVE-2026-33292Shared CWE-22
CVE-2026-35605Shared CWE-22
CVE-2025-53632Shared CWE-22
CVE-2025-8110Shared CWE-22
CVE-2026-8757Shared CWE-22
CVE-2025-7712Shared CWE-22
CVE-2026-31817Shared CWE-22

Affected Assets

funair
fly is fun
35.33

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Implements input validation on file paths during the import process to directly block path traversal attacks enabling arbitrary file overwrites.

prevent

Identifies, reports, and corrects the specific path traversal flaw in the file import mechanism to eliminate the vulnerability.

detect

Monitors integrity of critical internal files to detect unauthorized overwrites from exploitation of the file import vulnerability.

References