CVE-2026-24897
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD
Description
Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares.
By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue.
Affected (1)
Related CWEs
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-434
Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-94
Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
References (4)
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
ExploitVendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
ExploitVendor Advisory
Timeline (16)
2/9/20267 changes
Initial Analysis - Reference Type
03:32 PM
- -
+ GitHub, Inc.: https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369 Types: Exploit, Vendor Advisory
Initial Analysis - Reference Type
03:32 PM
- -
+ CISA-ADP: https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369 Types: Exploit, Vendor Advisory
Initial Analysis - Reference Type
03:32 PM
- -
+ GitHub, Inc.: https://github.com/ErugoOSS/Erugo/releases/tag/v0.2.15 Types: Release Notes
Initial Analysis - Reference Type
03:32 PM
- -
+ GitHub, Inc.: https://github.com/ErugoOSS/Erugo/commit/256bc63831a0b5e9a94cb024a0724e0cd5fa5e38 Types: Patch
Initial Analysis - CPE Configuration
03:32 PM
- -
+ OR
*cpe:2.3:a:erugo:erugo:*:*:*:*:*:*:*:* versions up to (including) 0.2.14
Initial Analysis - CWE
03:32 PM
- -
+ CWE-434
Initial Analysis - CVSS V3.1
03:32 PM
- -
+ AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1/29/20261 change
CVE Modified - Reference
05:16 PM
- -
+ https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369
1/28/20268 changes
New CVE Received - Reference
11:15 PM
- -
+ https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369
New CVE Received - Reference
11:15 PM
- -
+ https://github.com/ErugoOSS/Erugo/releases/tag/v0.2.15
New CVE Received - Reference
11:15 PM
- -
+ https://github.com/ErugoOSS/Erugo/commit/256bc63831a0b5e9a94cb024a0724e0cd5fa5e38
New CVE Received - CWE
11:15 PM
- -
+ CWE-434
New CVE Received - CWE
11:15 PM
- -
+ CWE-94
New CVE Received - CWE
11:15 PM
- -
+ CWE-22
New CVE Received - CVSS V3.1
11:15 PM
- -
+ AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
New CVE Received - Description
11:15 PM
- -
+ Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares.
By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue.