Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An arbitrary file overwrite vulnerability in Tinybeans Private Family Album App v5.9.5-prod allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
AnalysisAI
Tinybeans Private Family Album App v5.9.5-prod contains an arbitrary file overwrite vulnerability in its file import process that enables remote attackers to overwrite critical internal files, resulting in arbitrary code execution or information disclosure. No CVSS score, EPSS data, or KEV status is available for this vulnerability, and no public exploit code has been independently confirmed at the time of analysis.
Technical ContextAI
The vulnerability exists within the file import functionality of the Tinybeans mobile application (Android package com.tinybeans). The flaw allows attackers to manipulate the file import process to overwrite arbitrary files on the device or within the application's protected storage. This type of vulnerability typically stems from insufficient input validation, improper path canonicalization, or missing access controls on file write operations. The root cause likely involves CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), CWE-434 (Unrestricted Upload of File with Dangerous Type), or similar file handling weaknesses. The impact chains to either arbitrary code execution (if system or application binaries are overwritten) or information exposure (if configuration or data files are targeted). The affected product is Tinybeans Private Family Album App specifically version 5.9.5-prod distributed via Google Play Store.
RemediationAI
No vendor-released patch version is independently confirmed at the time of analysis. Users of Tinybeans Private Family Album App should immediately check Google Play Store for app updates and install the latest available version. If a patched version is available, update the application as soon as possible. Until a confirmed patch is available, users should avoid importing files from untrusted sources via the application's import process. Administrators deploying this application in family or organizational settings should monitor the official Tinybeans website and Google Play Store security updates, and review any security advisories from the vendor. Additional details may be available from the disclosure source at https://github.com/Secsys-FDU/AF_CVEs/issues/17.
Same weakness CWE-73 – External Control of File Name or Path
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17889