Cyber Resilience

CVE-2026-30282

Critical

Published: 31 March 2026

Published
31 March 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0038 29.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30282 is a critical-severity Path Traversal (CWE-22) vulnerability in Uxgroupllc Cast To Tv. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-30282 is an arbitrary file overwrite vulnerability in UXGROUP LLC's Cast to TV Screen Mirroring version 2.2.77. The issue arises in the file import process, enabling attackers to overwrite critical internal files and potentially achieve arbitrary code execution or information exposure. It maps to CWE-22 (Path Traversal) and CWE-73 (External Control of File Name or Path), with a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H). The vulnerability was published on 2026-03-31T18:16:47.123.

The attack requires network access, low complexity, low privileges such as an authenticated user account, and user interaction to import a malicious file. A low-privileged attacker can exploit this to overwrite files, escalating impact across confidentiality, integrity, and availability with high severity due to the changed scope, ultimately enabling arbitrary code execution or data exposure on the targeted system.

Advisories and additional details, including potential mitigation steps, are available at the following references: http://cast.com, https://appcraze.co/, https://github.com/Secsys-FDU/AF_CVEs/issues/27, and https://secsys.fudan.edu.cn/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An arbitrary file overwrite vulnerability in UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 allows attackers to overwrite critical internal files via the file import process, leading to arbtrary code execution or information exposure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Arbitrary file overwrite via path traversal (CWE-22/73) from low-privileged authenticated network access directly enables privilege escalation to arbitrary code execution with scope change.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30284Same vendor: Uxgroupllc
CVE-2026-24287Shared CWE-73
CVE-2016-20041Shared CWE-22
CVE-2025-66429Shared CWE-22
CVE-2026-20931Shared CWE-73
CVE-2025-54307Shared CWE-22
CVE-2026-20688Shared CWE-22
CVE-2026-32060Shared CWE-22
CVE-2026-20614Shared CWE-22
CVE-2025-48567Shared CWE-22

Affected Assets

uxgroupllc
cast to tv
2.2.77

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates file paths and names during the import process to directly prevent path traversal attacks enabling arbitrary file overwrites.

prevent

Enforces access control policies to restrict low-privileged authenticated users from writing to or overwriting critical internal files.

detect

Monitors and verifies the integrity of critical internal files to detect unauthorized overwrites resulting from the file import vulnerability.

References