Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An arbitrary file overwrite vulnerability in Zora: Post, Trade, Earn Crypto v2.60.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
AnalysisAI
Arbitrary file overwrite in Zora: Post, Trade, Earn Crypto v2.60.0 enables attackers to overwrite critical internal files through the file import process, resulting in remote code execution or information exposure. The vulnerability affects the cryptocurrency trading application's file handling mechanism, allowing unauthenticated remote attackers to inject malicious content into system-critical files. No active exploitation has been confirmed at time of analysis, though the attack vector and impact severity warrant immediate investigation by affected users.
Technical ContextAI
The vulnerability stems from improper validation and sanitization of file paths during the import process in Zora v2.60.0. The application fails to restrict file write operations to intended directories, permitting attackers to use path traversal or absolute path techniques to overwrite arbitrary files on the system. This represents a path traversal or improper input validation issue (CWE class) where user-supplied file paths are not adequately constrained. The file import feature, likely designed to load legitimate data or configuration files, lacks sufficient access controls to prevent overwriting critical application files, system configuration files, or executable code that could be subsequently executed by the application or operating system. The cryptocurrency trading context suggests the application handles sensitive financial data and authentication credentials, making file overwrite attacks particularly severe.
RemediationAI
Immediate remediation requires updating Zora to a patched version released after v2.60.0; however, no specific fix version number is provided in the available intelligence, and patch availability has not been independently confirmed. Users should check the official Zora website (https://zora.co/) and the research disclosure on GitHub (https://github.com/Secsys-FDU/AF_CVEs/issues/15) for available security updates and specific guidance. As a temporary mitigation, administrators should restrict access to the file import functionality to trusted users only, disable the import feature if not essential, and implement strict file system permissions to prevent overwriting of critical application and system files. Monitor file system access logs for suspicious modifications to application directories and credential stores.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17595
GHSA-859r-7hr7-6694