CVE-2026-30286
Published: 31 March 2026
Summary
CVE-2026-30286 is a critical-severity Path Traversal (CWE-22) vulnerability in Funambol Zefiro. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
CVE-2026-30286, published on 2026-03-31, is an arbitrary file overwrite vulnerability classified under CWE-22 in Funambol, Inc.'s Zefiro Cloud version 32.0.2026011614. The issue resides in the file import process, which attackers can abuse to overwrite critical internal files. This flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
Remote attackers require no authentication or user interaction to exploit the vulnerability over the network with low complexity. Successful exploitation allows overwriting of critical files, leading to arbitrary code execution or information exposure, with high impacts on confidentiality, integrity, and availability.
References include a GitHub issue at https://github.com/Secsys-FDU/AF_CVEs/issues/14 detailing the vulnerability, the Zefiro app listing on Google Play at https://play.google.com/store/apps/details?id=com.funambol.zefiro, the Secsys Fudan site at https://secsys.fudan.edu.cn/, and the Zefiro site at https://zefiro.me/. No specific patch or mitigation details are provided in the available information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17579
Vulnerability details
An arbitrary file overwrite vulnerability in Funambol, Inc. Zefiro Cloud v32.0.2026011614 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file overwrite in public-facing cloud service (Zefiro Cloud) enables remote unauthenticated exploitation leading to code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates file paths and destinations in the import process to directly prevent path traversal enabling arbitrary file overwrites.
Restricts file import inputs from being directed to critical internal system areas, blocking unauthorized overwrites.
Verifies integrity of critical files and software to prevent execution of overwritten code and detect unauthorized modifications via file import.