Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An arbitrary file overwrite vulnerability in Deep Thought Industries ACE Scanner PDF Scanner v1.4.5 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
AnalysisAI
Deep Thought Industries ACE Scanner PDF Scanner v1.4.5 contains an arbitrary file overwrite vulnerability in its file import process that permits attackers to overwrite critical internal files, resulting in remote code execution or information disclosure. The vulnerability affects a mobile application distributed via Google Play Store. No CVSS score, active exploitation status, or patch information is currently available from vendor sources.
Technical ContextAI
The vulnerability resides in the file import mechanism of ACE Scanner PDF Scanner, a mobile PDF scanning application available on the Google Play Store. The underlying weakness involves insufficient validation or access controls on the file import process, allowing attackers to manipulate file paths or import operations to overwrite system or application-critical files. This arbitrary file overwrite capability (CWE class) can be chained to achieve code execution by overwriting executable files, libraries, or configuration files that the application loads during runtime, or to expose sensitive information by overwriting data files containing credentials or personal information. The mobile application context suggests the attack may require user interaction (such as importing a malicious file) or may exploit insecure default file permissions on the device.
RemediationAI
No vendor-released patch identified at time of analysis. Users should immediately check the Google Play Store for available updates to ACE Scanner PDF Scanner beyond v1.4.5, as patch release information has not been confirmed. As an interim mitigation, avoid importing PDF files or documents from untrusted sources until a patched version is confirmed available. Contact Deep Thought Industries directly via their official website (https://deepthought.industries/) to confirm patch status and expected release timeline. Refer to the security research disclosure at https://github.com/Secsys-FDU/AF_CVEs/issues/16 for additional technical details and potential workarounds documented by the research team.
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17887
GHSA-gx88-826r-jqp4