Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An arbitrary file overwrite vulnerability in MaruNuri LLC v2.0.23 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
AnalysisAI
Arbitrary file overwrite in MaruNuri LLC v2.0.23 allows remote attackers to overwrite critical internal files during the file import process, enabling arbitrary code execution or information exposure. No CVSS score, exploit code availability, or active exploitation status is documented in available sources.
Technical ContextAI
The vulnerability resides in MaruNuri's file import functionality, which fails to properly validate or sanitize file paths during import operations. This allows attackers to specify arbitrary file paths that overwrite existing system or application files. The underlying weakness is path traversal or insufficient input validation on file destinations, enabling an attacker to write malicious content to locations where code execution can be achieved (such as plugin directories, configuration files, or executable locations) or to read sensitive application data by overwriting files with known content. The exact technical mechanism (e.g., zip extraction without path checks, symlink following, or directory traversal) is not specified in available sources.
RemediationAI
The vendor MaruNuri LLC should be contacted directly for patch availability, as no specific patched version number is documented in available sources. Users of MaruNuri v2.0.23 should monitor the official MaruNuri website (https://maru.xyz/) and Google Play Store (https://play.google.com/store/apps/details?id=neo.maru) for security updates. Until a patch is released, restrict file import functionality to trusted sources and monitor file system access for unexpected overwrites of critical application files. The security research issue tracking this vulnerability is documented at https://github.com/Secsys-FDU/AF_CVEs/issues/21.
Same weakness CWE-73 – External Control of File Name or Path
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17482