{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30290", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-02T14:41:54.710Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-31T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-31T19:33:07.552Z"}, "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in InTouch Contacts & Caller ID APP v6.38.1 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://secsys.fudan.edu.cn/"}, {"url": "https://www.intouchapp.com/"}, {"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/19"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T14:40:46.508279Z", "id": "CVE-2026-30290", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:41:54.710Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30290", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T14:40:46.508279Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:41:39.860Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://secsys.fudan.edu.cn/"}, {"url": "https://www.intouchapp.com/"}, {"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/19"}], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in InTouch Contacts & Caller ID APP v6.38.1 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-31T19:33:07.552Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30290", "state": "PUBLISHED", "dateUpdated": "2026-04-02T14:41:54.710Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-31T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:intouchapp:intouch_contacts_\\&_caller_id:6.38.1:*:*:*:*:android:*:*", "matchCriteriaId": "CC5EECA3-F5B4-4A89-947D-3C61F3BAE4B3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in InTouch Contacts & Caller ID APP v6.38.1 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "id": "CVE-2026-30290", "lastModified": "2026-04-07T16:11:04.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-31T20:16:26.670", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Secsys-FDU/AF_CVEs/issues/19"}, {"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "https://secsys.fudan.edu.cn/"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.intouchapp.com/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.38.1"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "intouch_contacts_&_caller_id_app", "vendor": "intouchapp"}], "analysis": {"en": {"generated_at": "2026-04-07T23:11:14.949224+00:00", "value": {"mitigation_remediation": ["Apply an official patch or upgrade to a newer version of InTouch Contacts & Caller ID if available", "If no patch exists, block or disable the file import feature until a fix is released", "Restrict file imports to trusted sources or apply ACLs on the device", "Perform regular file integrity checks to detect unauthorized modifications", "Monitor device activity for signs of unauthorized file writes or code execution"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary code execution via file overwrite"}, "threat_synthesis": {"affected_systems": "InTouch Contacts & Caller ID version 6.38.1 running on Android devices is affected. No other versions or vendors are listed.", "description_and_impact": "A flaw in the file import process of InTouch Contacts & Caller ID allows an attacker to overwrite any internal file if a crafted input is processed, potentially leading to execution of arbitrary code or leaking sensitive information. The weakness is a classic Absolute Path Traversal (CWE\u201122).", "risk_and_exploitability": "The vulnerability scores a high CVSS of 8.4, indicating a severe impact. EPSS is below 1\u202f%, suggesting a low probability of exploitation at this time, and it is not part of the CISA KEV catalog. Exploitation requires the attacker to supply a malicious file or convince a user to import one, so the attack vector is likely to be local or through social engineering. If the import function is invoked, the attacker can overwrite critical files and gain code execution."}}}}, "created": "2026-04-02T07:53:33.908177+00:00", "updated": "2026-04-08T20:00:28.639418+00:00", "vendors": ["intouchapp", "intouchapp$PRODUCT$intouch_contacts_&_caller_id_app"]}