Description
An arbitrary file overwrite vulnerability in Zora: Post, Trade, Earn Crypto v2.60.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
Published: 2026-03-31
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows arbitrary overwrite of internal files during the file import process. An attacker could replace critical application files, leading to arbitrary code execution or information exposure. The weakness corresponds to CWE-22: Path Traversal.

Affected Systems

Affected product is Zora: Post, Trade, Earn Crypto version 2.60.0 on Android devices. The issue originates from the application’s file import functionality and impacts the Android platform.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity. EPSS is below 1%, suggesting low exploitation probability, and it is not listed in CISA KEV catalog. The attack vector is inferred to be through malicious content imported into the app, as the flaw is triggered during file processing. Exploitation would require an attacker to convince a user to import a crafted file or have access to the device’s filesystem to overwrite critical files.

Generated by OpenCVE AI on April 7, 2026 at 23:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Zora: Post, Trade, Earn Crypto to the latest version that removes the unsafe file import path.
  • Disable or restrict the file import feature until a patch is available.
  • Monitor the device for unexpected file changes or execution of unknown binaries.
  • Keep the operating system and security patches up to date and enforce sandboxing for applications.

Generated by OpenCVE AI on April 7, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Arbitrary File Overwrite in Zora: Post, Trade, Earn Crypto v2.60.0 Enables Code Execution

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Zora zora
CPEs cpe:2.3:a:zora:zora:2.60.0:*:*:*:*:android:*:*
Vendors & Products Zora zora

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Zora
Zora post, Trade, Earn Crypto
Vendors & Products Zora
Zora post, Trade, Earn Crypto

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Arbitrary File Overwrite in Zora: Post, Trade, Earn Crypto v2.60.0 Enables Code Execution

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description An arbitrary file overwrite vulnerability in Zora: Post, Trade, Earn Crypto v2.60.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
References

Subscriptions

Zora Post, Trade, Earn Crypto Zora
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T14:39:24.734Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30285

cve-icon Vulnrichment

Updated: 2026-04-02T14:39:19.697Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T20:16:26.550

Modified: 2026-04-07T16:11:37.583

Link: CVE-2026-30285

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:29Z

Weaknesses