{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30285", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-02T14:39:24.734Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-31T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-31T19:19:44.946Z"}, "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in Zora: Post, Trade, Earn Crypto v2.60.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://secsys.fudan.edu.cn/"}, {"url": "https://zora.co/"}, {"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/15"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T14:38:04.661413Z", "id": "CVE-2026-30285", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:39:24.734Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30285", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T14:38:04.661413Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:39:19.697Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://secsys.fudan.edu.cn/"}, {"url": "https://zora.co/"}, {"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/15"}], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in Zora: Post, Trade, Earn Crypto v2.60.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-31T19:19:44.946Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30285", "state": "PUBLISHED", "dateUpdated": "2026-04-02T14:39:24.734Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-31T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zora:zora:2.60.0:*:*:*:*:android:*:*", "matchCriteriaId": "EDA2FE6E-4F49-4855-BE21-D0E305688F64", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in Zora: Post, Trade, Earn Crypto v2.60.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "id": "CVE-2026-30285", "lastModified": "2026-04-07T16:11:37.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-31T20:16:26.550", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Secsys-FDU/AF_CVEs/issues/15"}, {"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "https://secsys.fudan.edu.cn/"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://zora.co/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.60.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "post,_trade,_earn_crypto", "vendor": "zora"}], "analysis": {"en": {"generated_at": "2026-04-07T23:11:29.966813+00:00", "value": {"mitigation_remediation": ["Update Zora: Post, Trade, Earn Crypto to the latest version that removes the unsafe file import path.", "Disable or restrict the file import feature until a patch is available.", "Monitor the device for unexpected file changes or execution of unknown binaries.", "Keep the operating system and security patches up to date and enforce sandboxing for applications."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected product is Zora: Post, Trade, Earn Crypto version 2.60.0 on Android devices. The issue originates from the application\u2019s file import functionality and impacts the Android platform.", "description_and_impact": "The vulnerability allows arbitrary overwrite of internal files during the file import process. An attacker could replace critical application files, leading to arbitrary code execution or information exposure. The weakness corresponds to CWE-22: Path Traversal.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical severity. EPSS is below 1%, suggesting low exploitation probability, and it is not listed in CISA KEV catalog. The attack vector is inferred to be through malicious content imported into the app, as the flaw is triggered during file processing. Exploitation would require an attacker to convince a user to import a crafted file or have access to the device\u2019s filesystem to overwrite critical files."}}}}, "created": "2026-04-02T07:53:35.087571+00:00", "updated": "2026-04-08T20:00:29.744822+00:00", "vendors": ["zora", "zora$PRODUCT$post,_trade,_earn_crypto"]}