CVE-2026-30291
Arbitrary File Overwrite in Ora Tools PDF Reader Enables Code Execution
Publication date: 2026-04-01
Last updated on: 2026-04-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ora_tools | pdf_reader | 4.3.5 |
| ora_tools | pdf_reader_reader_editor | 4.3.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an arbitrary file overwrite issue in the Ora Tools PDF Reader β Reader & Editor APP version 4.3.5. It allows attackers to overwrite critical internal files through the file import process.
By exploiting this flaw, attackers can cause arbitrary code execution or expose sensitive information within the application.
How can this vulnerability impact me? :
The vulnerability can have serious impacts including allowing attackers to execute arbitrary code on your device, which could lead to full control over the application or device.
Additionally, it can lead to exposure of sensitive or critical information stored within the app, compromising your privacy and data security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Ora Tools PDF Reader β Reader & Editor APPv4.3.5 allows attackers to overwrite critical internal files via the file import process, potentially leading to arbitrary code execution or information exposure.
Such arbitrary file overwrite and information exposure vulnerabilities can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and modification.
Since the app may collect and share personal and financial information with third parties without encryption and without the ability for users to delete data, this vulnerability could exacerbate risks related to data breaches and unauthorized data manipulation, thereby increasing non-compliance risks with privacy regulations.