Skip to main content

Funambol CVE-2026-30286

| EUVDEUVD-2026-17579 CRITICAL
Path Traversal (CWE-22)
2026-03-31 mitre GHSA-x992-q43f-mw8x
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 31, 2026 - 18:16 euvd
EUVD-2026-17579
Analysis Generated
Mar 31, 2026 - 18:16 vuln.today
CVE Published
Mar 31, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

An arbitrary file overwrite vulnerability in Funambol, Inc. Zefiro Cloud v32.0.2026011614 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

AnalysisAI

Arbitrary file overwrite in Funambol Zefiro Cloud v32.0.2026011614 allows attackers to overwrite critical internal files during the file import process, enabling remote code execution or information disclosure. The vulnerability affects the cloud application and its associated mobile client. No CVSS score or official vendor patch has been assigned as of analysis time, though the reported impact (RCE/information exposure) is severe.

Technical ContextAI

The vulnerability exists in Funambol's file import functionality, which fails to properly validate or restrict file paths during import operations. This allows path traversal or direct file overwrite attacks, enabling modification of system or application-critical files. The root cause appears to be insufficient input validation on user-supplied file paths or filenames during the import process. The affected technology is Zefiro Cloud, a cloud-based collaboration and file synchronization platform offered by Funambol, Inc., accessible both as a web service and via mobile client (Android app available on Google Play).

RemediationAI

Immediate remediation requires upgrading to a patched version of Zefiro Cloud beyond v32.0.2026011614; however, a specific fixed version has not been identified from available vendor advisories at time of analysis. Users should contact Funambol directly or monitor https://zefiro.me/ for security updates. As a temporary workaround, restrict file import functionality to trusted users only, disable the file import feature if not required, and implement file system permissions to prevent overwrite of critical application directories. Monitor the official Zefiro security documentation and the GitHub issue (https://github.com/Secsys-FDU/AF_CVEs/issues/14) for patch release announcements. Application-level input validation patches will require vendor deployment; no client-side mitigation fully resolves the issue without vendor fixes.

Share

CVE-2026-30286 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy