{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30285", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-02T14:39:24.734Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-31T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-31T19:19:44.946Z"}, "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in Zora: Post, Trade, Earn Crypto v2.60.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://secsys.fudan.edu.cn/"}, {"url": "https://zora.co/"}, {"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/15"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T14:38:04.661413Z", "id": "CVE-2026-30285", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:39:24.734Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30285", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T14:38:04.661413Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:39:19.697Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://secsys.fudan.edu.cn/"}, {"url": "https://zora.co/"}, {"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/15"}], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in Zora: Post, Trade, Earn Crypto v2.60.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-31T19:19:44.946Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30285", "state": "PUBLISHED", "dateUpdated": "2026-04-02T14:39:24.734Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-31T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in Zora: Post, Trade, Earn Crypto v2.60.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "id": "CVE-2026-30285", "lastModified": "2026-04-02T15:16:36.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-31T20:16:26.550", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Secsys-FDU/AF_CVEs/issues/15"}, {"source": "cve@mitre.org", "url": "https://secsys.fudan.edu.cn/"}, {"source": "cve@mitre.org", "url": "https://zora.co/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-02T16:55:08.743002+00:00", "value": {"mitigation_remediation": ["Upgrade Zora: Post, Trade, Earn Crypto to a patched version that resolves the file overwrite issue.", "Disable or restrict the file import function for users who do not require it.", "Implement strict file type and size validation on the import endpoint to mitigate accidental overwrites.", "Monitor logs for unusual file system activity and unauthorized write attempts."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Code Execution"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the Zora: Post, Trade, Earn Crypto application, specifically version 2.60.0. No other vendor or product versions were enumerated in the advisory, so the scope is limited to this release. Users running this exact version should assume they are exposed.", "description_and_impact": "An arbitrary file overwrite flaw exists in Zora: Post, Trade, Earn Crypto version 2.60.0. By manipulating the file import feature, a malicious actor can overwrite critical internal files, which may result in arbitrary code execution or unintended disclosure of sensitive information. The flaw maps to input validation weakness CWE\u201122, where improper handling of file names or paths enables overwrite of protected files.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a high\u2011impact flaw. Although the EPSS score is below 1%, suggesting a low likelihood of exploitation at this time, the vulnerability remains exploitable via the upload mechanism, and because it can trigger code execution, it poses a severe threat. The SECSYS advisory does not list it in CISA\u2019s KEV catalog, but the high severity warrants immediate attention. The attack vector is likely external and involves providing a crafted file through the import interface; this inference comes from the description of the overwrite capability."}}}}, "created": "2026-04-02T07:53:35.087571+00:00", "title": "Arbitrary File Overwrite in Zora: Post, Trade, Earn Crypto v2.60.0 Enables Code Execution", "updated": "2026-04-02T20:22:39.763923+00:00", "vendors": []}