CVE-2026-30278
Published: 31 March 2026
Summary
CVE-2026-30278 is a critical-severity Path Traversal (CWE-22) vulnerability in Funair Fly Is Fun. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-30278 is an arbitrary file overwrite vulnerability in FLY is FUN Aviation Navigation version 35.33. The issue, tied to CWE-22 (path traversal), occurs in the file import process, enabling attackers to overwrite critical internal files. This can result in arbitrary code execution or information exposure. Published on 2026-03-31, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
Unauthenticated remote attackers can exploit the vulnerability over the network with low attack complexity and no user interaction required. By manipulating the file import mechanism, they can target and overwrite essential system files, achieving arbitrary code execution to gain control of the affected application or server, or exposing sensitive data through file manipulation.
Mitigation details and patches are referenced in advisories at http://fly.com, http://www.funair.cz/forum, and https://secsys.fudan.edu.cn/. Security practitioners should consult these sources for vendor-specific remediation steps.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17538
Vulnerability details
An arbitrary file overwrite vulnerability in FLY is FUN Aviation Navigation v35.33 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an unauthenticated remote network exploit against a file import feature in a publicly reachable application, directly matching the definition of T1190 (Exploit Public-Facing Application). The path-traversal file overwrite primitive yields arbitrary code execution and data exposure as direct consequences of successful exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Implements input validation on file paths during the import process to directly block path traversal attacks enabling arbitrary file overwrites.
Identifies, reports, and corrects the specific path traversal flaw in the file import mechanism to eliminate the vulnerability.
Monitors integrity of critical internal files to detect unauthorized overwrites from exploitation of the file import vulnerability.