Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
An arbitrary file overwrite vulnerability in Ora Tools PDF Reader ' Reader & Editor APPv4.3.5 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
AnalysisAI
Arbitrary file overwrite in Ora Tools PDF Reader & Editor APP v4.3.5 enables attackers to overwrite critical internal files through the file import process, resulting in arbitrary code execution or information exposure. The vulnerability affects the Android application and has been publicly disclosed; however, CVSS scoring, CISA KEV status, and vendor patch availability have not been independently confirmed at time of analysis.
Technical ContextAI
The vulnerability resides in the file import functionality of Ora Tools PDF Reader & Editor, an Android application available on Google Play Store. The root cause involves insufficient validation or access controls during the file import process, permitting attackers to write arbitrary content to critical application files or system directories. This type of flaw typically relates to insecure file handling (CWE-434: Unrestricted Upload of File with Dangerous Type or related path traversal/arbitrary write categories). The affected product is identified as Ora Tools PDF Reader & Editor APP v4.3.5 (Android mobile application), though CPE data provided is generic (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*), indicating formal vendor CPE registration may be incomplete.
RemediationAI
Users of Ora Tools PDF Reader & Editor should upgrade to a patched version released by the vendor subsequent to v4.3.5; however, exact fixed version number is not specified in provided data. Check the official Ora Tools GitHub repository (https://oratools.github.io/) and Google Play Store listing (https://play.google.com/store/apps/details?id=pdf.reader.editor.office.ora) for the latest available release and install updates immediately. Review the public disclosure on the researcher's GitHub issue (https://github.com/Secsys-FDU/AF_CVEs/issues/18) for detailed technical information and any interim mitigations. Until patched, exercise caution when importing files from untrusted sources, as the vulnerability is triggered during the file import process.
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17891