Skip to main content

Zora CVE-2026-30285

| EUVDEUVD-2026-17595 CRITICAL
Path Traversal (CWE-22)
2026-03-31 mitre GHSA-859r-7hr7-6694
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 31, 2026 - 19:47 euvd
EUVD-2026-17595
Analysis Generated
Mar 31, 2026 - 19:47 vuln.today
CVE Published
Mar 31, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

An arbitrary file overwrite vulnerability in Zora: Post, Trade, Earn Crypto v2.60.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

AnalysisAI

Arbitrary file overwrite in Zora: Post, Trade, Earn Crypto v2.60.0 enables attackers to overwrite critical internal files through the file import process, resulting in remote code execution or information exposure. The vulnerability affects the cryptocurrency trading application's file handling mechanism, allowing unauthenticated remote attackers to inject malicious content into system-critical files. No active exploitation has been confirmed at time of analysis, though the attack vector and impact severity warrant immediate investigation by affected users.

Technical ContextAI

The vulnerability stems from improper validation and sanitization of file paths during the import process in Zora v2.60.0. The application fails to restrict file write operations to intended directories, permitting attackers to use path traversal or absolute path techniques to overwrite arbitrary files on the system. This represents a path traversal or improper input validation issue (CWE class) where user-supplied file paths are not adequately constrained. The file import feature, likely designed to load legitimate data or configuration files, lacks sufficient access controls to prevent overwriting critical application files, system configuration files, or executable code that could be subsequently executed by the application or operating system. The cryptocurrency trading context suggests the application handles sensitive financial data and authentication credentials, making file overwrite attacks particularly severe.

RemediationAI

Immediate remediation requires updating Zora to a patched version released after v2.60.0; however, no specific fix version number is provided in the available intelligence, and patch availability has not been independently confirmed. Users should check the official Zora website (https://zora.co/) and the research disclosure on GitHub (https://github.com/Secsys-FDU/AF_CVEs/issues/15) for available security updates and specific guidance. As a temporary mitigation, administrators should restrict access to the file import functionality to trusted users only, disable the import feature if not essential, and implement strict file system permissions to prevent overwriting of critical application and system files. Monitor file system access logs for suspicious modifications to application directories and credential stores.

Share

CVE-2026-30285 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy