{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30289", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-01T15:48:45.227Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-01T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T13:59:47.343Z"}, "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in Tinybeans Private Family Album App v5.9.5-prod allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://secsys.fudan.edu.cn/"}, {"url": "https://play.google.com/store/apps/details?id=com.tinybeans"}, {"url": "https://tinybeans.com/"}, {"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/17"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-73", "lang": "en", "description": "CWE-73 External Control of File Name or Path"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T15:44:54.545504Z", "id": "CVE-2026-30289", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:48:45.227Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30289", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-01T15:48:45.227Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-01T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T13:59:47.343Z"}, "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in Tinybeans Private Family Album App v5.9.5-prod allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://secsys.fudan.edu.cn/"}, {"url": "https://play.google.com/store/apps/details?id=com.tinybeans"}, {"url": "https://tinybeans.com/"}, {"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/17"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30289", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T15:44:54.545504Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:42:12.413Z"}}]}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tinybeans:private_family_album:5.9.5:*:*:*:*:android:*:*", "matchCriteriaId": "4A78A0FE-9D92-4176-BB2A-95C70C22F84D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in Tinybeans Private Family Album App v5.9.5-prod allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "id": "CVE-2026-30289", "lastModified": "2026-04-02T19:40:06.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-01T14:16:49.910", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Secsys-FDU/AF_CVEs/issues/17"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://play.google.com/store/apps/details?id=com.tinybeans"}, {"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "https://secsys.fudan.edu.cn/"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://tinybeans.com/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.9.5-prod"}}], "enrichment": {"confidence": 85.0, "confidence_source": "inferred", "scores": [{"score": 85.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "private_family_album_app", "vendor": "tinybeans"}], "analysis": {"en": {"generated_at": "2026-04-02T22:00:55.782351+00:00", "value": {"mitigation_remediation": ["Update Tinybeans Private Family Album App to a version that contains the fix, if one is available; otherwise, uninstall the application.", "Prevent the app from importing files from untrusted or external sources by disabling file import or restricting file permissions.", "Monitor device logs for unusual file write activity and consider using security solutions that detect privilege escalation on mobile devices.", "Ensure that the device\u2019s operating system and security updates are current to reduce the attack surface."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Code Execution via File Overwrite"}, "threat_synthesis": {"affected_systems": "The flaw affects Tinybeans\u2019 Private Family Album App version 5.9.5\u2011prod. Users running this build on Android devices are at risk, while later releases that have addressed the flaw are not vulnerable. No other vendor or product variants are listed.", "description_and_impact": "An attacker can supply a specially crafted file during the import feature of Tinybeans Private Family Album App, allowing them to overwrite essential internal files. The overwrite can trigger execution of arbitrary code or leak sensitive data, making this a serious flaw identified as CWE\u201173. The vulnerability is rated with a CVSS score of 8.4, indicating a high severity risk.", "risk_and_exploitability": "Although the exploit probability is low (EPSS <1\u202f%) and the flaw is not listed in the CISA KEV catalog, the potential for code execution makes it a high\u2011impact concern. The likely attack path involves delivering a crafted file to the app, which then processes the file and allows path traversal to overwrite protected resources. If users import content from an untrusted source, the vulnerability can be triggered without additional privileges."}}}}, "created": "2026-04-02T07:51:23.072753+00:00", "updated": "2026-04-03T09:19:17.993526+00:00", "vendors": ["tinybeans", "tinybeans$PRODUCT$private_family_album_app"]}