Skip to main content

Private Family Album CVE-2026-30289

| EUVDEUVD-2026-17889 HIGH
External Control of File Name or Path (CWE-73)
2026-04-01 cve@mitre.org
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 14:22 euvd
EUVD-2026-17889
Analysis Generated
Apr 01, 2026 - 14:22 vuln.today
CVE Published
Apr 01, 2026 - 14:16 nvd
HIGH 8.4

DescriptionCVE.org

An arbitrary file overwrite vulnerability in Tinybeans Private Family Album App v5.9.5-prod allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

AnalysisAI

Tinybeans Private Family Album App v5.9.5-prod contains an arbitrary file overwrite vulnerability in its file import process that enables remote attackers to overwrite critical internal files, resulting in arbitrary code execution or information disclosure. No CVSS score, EPSS data, or KEV status is available for this vulnerability, and no public exploit code has been independently confirmed at the time of analysis.

Technical ContextAI

The vulnerability exists within the file import functionality of the Tinybeans mobile application (Android package com.tinybeans). The flaw allows attackers to manipulate the file import process to overwrite arbitrary files on the device or within the application's protected storage. This type of vulnerability typically stems from insufficient input validation, improper path canonicalization, or missing access controls on file write operations. The root cause likely involves CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), CWE-434 (Unrestricted Upload of File with Dangerous Type), or similar file handling weaknesses. The impact chains to either arbitrary code execution (if system or application binaries are overwritten) or information exposure (if configuration or data files are targeted). The affected product is Tinybeans Private Family Album App specifically version 5.9.5-prod distributed via Google Play Store.

RemediationAI

No vendor-released patch version is independently confirmed at the time of analysis. Users of Tinybeans Private Family Album App should immediately check Google Play Store for app updates and install the latest available version. If a patched version is available, update the application as soon as possible. Until a confirmed patch is available, users should avoid importing files from untrusted sources via the application's import process. Administrators deploying this application in family or organizational settings should monitor the official Tinybeans website and Google Play Store security updates, and review any security advisories from the vendor. Additional details may be available from the disclosure source at https://github.com/Secsys-FDU/AF_CVEs/issues/17.

Share

CVE-2026-30289 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy