Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An arbitrary file overwrite vulnerability in Funambol, Inc. Zefiro Cloud v32.0.2026011614 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
AnalysisAI
Arbitrary file overwrite in Funambol Zefiro Cloud v32.0.2026011614 allows attackers to overwrite critical internal files during the file import process, enabling remote code execution or information disclosure. The vulnerability affects the cloud application and its associated mobile client. No CVSS score or official vendor patch has been assigned as of analysis time, though the reported impact (RCE/information exposure) is severe.
Technical ContextAI
The vulnerability exists in Funambol's file import functionality, which fails to properly validate or restrict file paths during import operations. This allows path traversal or direct file overwrite attacks, enabling modification of system or application-critical files. The root cause appears to be insufficient input validation on user-supplied file paths or filenames during the import process. The affected technology is Zefiro Cloud, a cloud-based collaboration and file synchronization platform offered by Funambol, Inc., accessible both as a web service and via mobile client (Android app available on Google Play).
RemediationAI
Immediate remediation requires upgrading to a patched version of Zefiro Cloud beyond v32.0.2026011614; however, a specific fixed version has not been identified from available vendor advisories at time of analysis. Users should contact Funambol directly or monitor https://zefiro.me/ for security updates. As a temporary workaround, restrict file import functionality to trusted users only, disable the file import feature if not required, and implement file system permissions to prevent overwrite of critical application directories. Monitor the official Zefiro security documentation and the GitHub issue (https://github.com/Secsys-FDU/AF_CVEs/issues/14) for patch release announcements. Application-level input validation patches will require vendor deployment; no client-side mitigation fully resolves the issue without vendor fixes.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17579
GHSA-x992-q43f-mw8x