Description
An arbitrary file overwrite vulnerability in InTouch Contacts & Caller ID APP v6.38.1 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
Published: 2026-03-31
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution via file overwrite
Action: Immediate Patch
AI Analysis

Impact

A flaw in the file import process of InTouch Contacts & Caller ID allows an attacker to overwrite any internal file if a crafted input is processed, potentially leading to execution of arbitrary code or leaking sensitive information. The weakness is a classic Absolute Path Traversal (CWE‑22).

Affected Systems

InTouch Contacts & Caller ID version 6.38.1 running on Android devices is affected. No other versions or vendors are listed.

Risk and Exploitability

The vulnerability scores a high CVSS of 8.4, indicating a severe impact. EPSS is below 1 %, suggesting a low probability of exploitation at this time, and it is not part of the CISA KEV catalog. Exploitation requires the attacker to supply a malicious file or convince a user to import one, so the attack vector is likely to be local or through social engineering. If the import function is invoked, the attacker can overwrite critical files and gain code execution.

Generated by OpenCVE AI on April 7, 2026 at 23:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an official patch or upgrade to a newer version of InTouch Contacts & Caller ID if available
  • If no patch exists, block or disable the file import feature until a fix is released
  • Restrict file imports to trusted sources or apply ACLs on the device
  • Perform regular file integrity checks to detect unauthorized modifications
  • Monitor device activity for signs of unauthorized file writes or code execution

Generated by OpenCVE AI on April 7, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title InTouch Contacts & Caller ID v6.38.1 Arbitrary File Overwrite Vulnerability

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Intouchapp intouch Contacts \& Caller Id
CPEs cpe:2.3:a:intouchapp:intouch_contacts_\&_caller_id:6.38.1:*:*:*:*:android:*:*
Vendors & Products Intouchapp intouch Contacts \& Caller Id

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Intouchapp
Intouchapp intouch Contacts & Caller Id App
Vendors & Products Intouchapp
Intouchapp intouch Contacts & Caller Id App

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title InTouch Contacts & Caller ID v6.38.1 Arbitrary File Overwrite Vulnerability

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description An arbitrary file overwrite vulnerability in InTouch Contacts & Caller ID APP v6.38.1 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
References

Subscriptions

Intouchapp Intouch Contacts & Caller Id App Intouch Contacts \& Caller Id
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T14:41:54.710Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30290

cve-icon Vulnrichment

Updated: 2026-04-02T14:41:39.860Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T20:16:26.670

Modified: 2026-04-07T16:11:04.630

Link: CVE-2026-30290

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:28Z

Weaknesses