Cyber Resilience

CVE-2026-30286

Critical

Published: 31 March 2026

Published
31 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0064 46.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30286 is a critical-severity Path Traversal (CWE-22) vulnerability in Funambol Zefiro. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2026-30286, published on 2026-03-31, is an arbitrary file overwrite vulnerability classified under CWE-22 in Funambol, Inc.'s Zefiro Cloud version 32.0.2026011614. The issue resides in the file import process, which attackers can abuse to overwrite critical internal files. This flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Remote attackers require no authentication or user interaction to exploit the vulnerability over the network with low complexity. Successful exploitation allows overwriting of critical files, leading to arbitrary code execution or information exposure, with high impacts on confidentiality, integrity, and availability.

References include a GitHub issue at https://github.com/Secsys-FDU/AF_CVEs/issues/14 detailing the vulnerability, the Zefiro app listing on Google Play at https://play.google.com/store/apps/details?id=com.funambol.zefiro, the Secsys Fudan site at https://secsys.fudan.edu.cn/, and the Zefiro site at https://zefiro.me/. No specific patch or mitigation details are provided in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An arbitrary file overwrite vulnerability in Funambol, Inc. Zefiro Cloud v32.0.2026011614 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Arbitrary file overwrite in public-facing cloud service (Zefiro Cloud) enables remote unauthenticated exploitation leading to code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2505Shared CWE-22
CVE-2026-5841Shared CWE-22
CVE-2026-33242Shared CWE-22
CVE-2026-33292Shared CWE-22
CVE-2026-35605Shared CWE-22
CVE-2025-53632Shared CWE-22
CVE-2025-8110Shared CWE-22
CVE-2026-8757Shared CWE-22
CVE-2025-7712Shared CWE-22
CVE-2026-31817Shared CWE-22

Affected Assets

funambol
zefiro
32.0.2026011614

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates file paths and destinations in the import process to directly prevent path traversal enabling arbitrary file overwrites.

prevent

Restricts file import inputs from being directed to critical internal system areas, blocking unauthorized overwrites.

preventdetect

Verifies integrity of critical files and software to prevent execution of overwritten code and detect unauthorized modifications via file import.

References