Description
An arbitrary file overwrite vulnerability in Tinybeans Private Family Album App v5.9.5-prod allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
Published: 2026-04-01
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution via File Overwrite
Action: Immediate Patch
AI Analysis

Impact

An attacker can supply a specially crafted file during the import feature of Tinybeans Private Family Album App, allowing them to overwrite essential internal files. The overwrite can trigger execution of arbitrary code or leak sensitive data, making this a serious flaw identified as CWE‑73. The vulnerability is rated with a CVSS score of 8.4, indicating a high severity risk.

Affected Systems

The flaw affects Tinybeans’ Private Family Album App version 5.9.5‑prod. Users running this build on Android devices are at risk, while later releases that have addressed the flaw are not vulnerable. No other vendor or product variants are listed.

Risk and Exploitability

Although the exploit probability is low (EPSS <1 %) and the flaw is not listed in the CISA KEV catalog, the potential for code execution makes it a high‑impact concern. The likely attack path involves delivering a crafted file to the app, which then processes the file and allows path traversal to overwrite protected resources. If users import content from an untrusted source, the vulnerability can be triggered without additional privileges.

Generated by OpenCVE AI on April 2, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Tinybeans Private Family Album App to a version that contains the fix, if one is available; otherwise, uninstall the application.
  • Prevent the app from importing files from untrusted or external sources by disabling file import or restricting file permissions.
  • Monitor device logs for unusual file write activity and consider using security solutions that detect privilege escalation on mobile devices.
  • Ensure that the device’s operating system and security updates are current to reduce the attack surface.

Generated by OpenCVE AI on April 2, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Arbitrary File Overwrite in Tinybeans Private Family Album App Enabling Code Execution
First Time appeared Tinybeans private Family Album App
Vendors & Products Tinybeans private Family Album App

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Arbitrary File Overwrite in Tinybeans Private Family Album App Enabling Code Execution
First Time appeared Tinybeans
Tinybeans private Family Album
CPEs cpe:2.3:a:tinybeans:private_family_album:5.9.5:*:*:*:*:android:*:*
Vendors & Products Tinybeans
Tinybeans private Family Album

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description An arbitrary file overwrite vulnerability in Tinybeans Private Family Album App v5.9.5-prod allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Tinybeans Private Family Album Private Family Album App
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T15:48:45.227Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30289

cve-icon Vulnrichment

Updated: 2026-04-01T15:42:12.413Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T14:16:49.910

Modified: 2026-04-02T19:40:06.643

Link: CVE-2026-30289

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:17Z

Weaknesses