CRITICAL🇵🇱 Wersja polska

CVE-2026-30281

CVSS 9.8v3.1pub. 2026-03-31upd. 2026-04-06

An arbitrary file overwrite vulnerability in MaruNuri LLC v2.0.23 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-73 (External Control of File Name or Path) consists of the lack of proper validation of file names or paths during the import process. An attacker can provide a specially crafted file whose name or path points to critical internal application files. As a result, the import mechanism overwrites these files with attacker-controlled content, which can result in arbitrary code execution or disclosure of sensitive data.

Impact

An attacker can cause arbitrary code execution (RCE) in the context of the application or disclose sensitive information processed by the application. High impact on the confidentiality, integrity, and availability of the system.

Mitigation & patch

Patches available from the manufacturer should be applied according to the references. It is recommended to monitor the availability of updates on the manufacturer's website (maru.xyz) and in the Google Play Store. Until a fix is available, consider restricting the ability to import files from untrusted users.

Who is affected

Maru Neo application (neo.maru) by MaruNuri LLC version v2.0.23

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Maru Neo.maru

    APP
    Maru
    2.0.23
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References