Skip to main content

MaruNuri LLC CVE-2026-30281

| EUVDEUVD-2026-17482 CRITICAL
External Control of File Name or Path (CWE-73)
2026-03-31 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 31, 2026 - 16:00 euvd
EUVD-2026-17482
Analysis Generated
Mar 31, 2026 - 16:00 vuln.today
CVE Published
Mar 31, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

An arbitrary file overwrite vulnerability in MaruNuri LLC v2.0.23 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

AnalysisAI

Arbitrary file overwrite in MaruNuri LLC v2.0.23 allows remote attackers to overwrite critical internal files during the file import process, enabling arbitrary code execution or information exposure. No CVSS score, exploit code availability, or active exploitation status is documented in available sources.

Technical ContextAI

The vulnerability resides in MaruNuri's file import functionality, which fails to properly validate or sanitize file paths during import operations. This allows attackers to specify arbitrary file paths that overwrite existing system or application files. The underlying weakness is path traversal or insufficient input validation on file destinations, enabling an attacker to write malicious content to locations where code execution can be achieved (such as plugin directories, configuration files, or executable locations) or to read sensitive application data by overwriting files with known content. The exact technical mechanism (e.g., zip extraction without path checks, symlink following, or directory traversal) is not specified in available sources.

RemediationAI

The vendor MaruNuri LLC should be contacted directly for patch availability, as no specific patched version number is documented in available sources. Users of MaruNuri v2.0.23 should monitor the official MaruNuri website (https://maru.xyz/) and Google Play Store (https://play.google.com/store/apps/details?id=neo.maru) for security updates. Until a patch is released, restrict file import functionality to trusted sources and monitor file system access for unexpected overwrites of critical application files. The security research issue tracking this vulnerability is documented at https://github.com/Secsys-FDU/AF_CVEs/issues/21.

Share

CVE-2026-30281 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy