This vulnerability in FLY is FUN Aviation Navigation v35.33 enables attackers to overwrite arbitrary files on the system by exploiting the file import functionality. The flaw stems from improper pathname validation (CWE-22), which allows critical internal files to be overwritten. The impact includes potential arbitrary code execution and exposure of sensitive information. The CVSS 3.1 base score is 9.8, reflecting its critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No patch or vendor advisory is currently available, and the affected versions are not specifically enumerated beyond version 35.33.

An attacker can overwrite critical internal files without authentication, potentially leading to arbitrary code execution or disclosure of sensitive information. This can compromise the confidentiality, integrity, and availability of the affected system. The vulnerability is rated critical with a CVSS score of 9.8.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the file import functionality and monitor for suspicious activity related to file operations. Avoid importing untrusted files and consider isolating the affected system to reduce risk.