Description
An arbitrary file overwrite vulnerability in FLY is FUN Aviation Navigation v35.33 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
Published: 2026-03-31
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Overwrite Leading to Code Execution
Action: Upgrade
AI Analysis

Impact

An arbitrary file overwrite problem in the FLY is FUN Aviation Navigation application allows an attacker to replace critical internal files by exploiting the file import feature. This can result in the execution of arbitrary code or the exposure of sensitive information, reflecting a file path traversal and unrestricted write weakness (CWE‑22).

Affected Systems

The vulnerability applies to Funair’s FLY is FUN Aviation Navigation version 35.33 on Android devices, as identified by the CPE record for that product.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is classified as critical. The EPSS score of under 1 % indicates a low projected exploitation chance and the issue is not present in the CISA KEV catalog. Nonetheless, exploitation can likely occur remotely via the import functionality if an attacker can supply or trigger the upload, enabling code execution within the application’s context or leaking confidential data.

Generated by OpenCVE AI on April 6, 2026 at 17:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a software update that removes the vulnerable file import functionality
  • If an update is unavailable, disable or constrain the file import feature to trusted users only
  • Enforce strict permissions on internal application files to prevent unauthorized writes
  • Monitor system logs for anomalous file modification events
  • Verify file integrity after each update or change to the application

Generated by OpenCVE AI on April 6, 2026 at 17:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Arbitrary File Overwrite Leading to Code Execution in FLY is FUN Aviation Navigation

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Funair
Funair fly Is Fun
CPEs cpe:2.3:a:funair:fly_is_fun:35.33:*:*:*:*:android:*:*
Vendors & Products Funair
Funair fly Is Fun

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Fly Is Fun
Fly Is Fun aviation Navigation
Vendors & Products Fly Is Fun
Fly Is Fun aviation Navigation

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Arbitrary File Overwrite Vulnerability in FLY is FUN Aviation Navigation v35.33

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Arbitrary File Overwrite Vulnerability in FLY is FUN Aviation Navigation v35.33
Weaknesses CWE-22

Tue, 31 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description An arbitrary file overwrite vulnerability in FLY is FUN Aviation Navigation v35.33 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
References

Subscriptions

Fly Is Fun Aviation Navigation
Funair Fly Is Fun
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T14:19:48.538Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30278

cve-icon Vulnrichment

Updated: 2026-04-02T14:19:41.943Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T18:16:46.863

Modified: 2026-04-06T15:01:01.663

Link: CVE-2026-30278

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:24Z

Weaknesses