Skip to main content

Ora Tools PDF Reader CVE-2026-30291

| EUVDEUVD-2026-17891 HIGH
External Control of File Name or Path (CWE-73)
2026-04-01 mitre
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 27, 2026 - 19:22 vuln.today
cvss_changed
EUVD ID Assigned
Apr 01, 2026 - 15:00 euvd
EUVD-2026-17891
Analysis Generated
Apr 01, 2026 - 15:00 vuln.today
CVE Published
Apr 01, 2026 - 00:00 nvd
HIGH 8.4

DescriptionCVE.org

An arbitrary file overwrite vulnerability in Ora Tools PDF Reader ' Reader & Editor APPv4.3.5 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

AnalysisAI

Arbitrary file overwrite in Ora Tools PDF Reader & Editor APP v4.3.5 enables attackers to overwrite critical internal files through the file import process, resulting in arbitrary code execution or information exposure. The vulnerability affects the Android application and has been publicly disclosed; however, CVSS scoring, CISA KEV status, and vendor patch availability have not been independently confirmed at time of analysis.

Technical ContextAI

The vulnerability resides in the file import functionality of Ora Tools PDF Reader & Editor, an Android application available on Google Play Store. The root cause involves insufficient validation or access controls during the file import process, permitting attackers to write arbitrary content to critical application files or system directories. This type of flaw typically relates to insecure file handling (CWE-434: Unrestricted Upload of File with Dangerous Type or related path traversal/arbitrary write categories). The affected product is identified as Ora Tools PDF Reader & Editor APP v4.3.5 (Android mobile application), though CPE data provided is generic (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*), indicating formal vendor CPE registration may be incomplete.

RemediationAI

Users of Ora Tools PDF Reader & Editor should upgrade to a patched version released by the vendor subsequent to v4.3.5; however, exact fixed version number is not specified in provided data. Check the official Ora Tools GitHub repository (https://oratools.github.io/) and Google Play Store listing (https://play.google.com/store/apps/details?id=pdf.reader.editor.office.ora) for the latest available release and install updates immediately. Review the public disclosure on the researcher's GitHub issue (https://github.com/Secsys-FDU/AF_CVEs/issues/18) for detailed technical information and any interim mitigations. Until patched, exercise caution when importing files from untrusted sources, as the vulnerability is triggered during the file import process.

Share

CVE-2026-30291 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy