{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24897", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-27T19:35:20.529Z", "datePublished": "2026-01-28T22:24:49.915Z", "dateUpdated": "2026-01-29T16:54:12.343Z"}, "containers": {"cna": {"title": "Authenticated Remote Code Execution via Arbitrary File Upload", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369"}, {"name": "https://github.com/ErugoOSS/Erugo/commit/256bc63831a0b5e9a94cb024a0724e0cd5fa5e38", "tags": ["x_refsource_MISC"], "url": "https://github.com/ErugoOSS/Erugo/commit/256bc63831a0b5e9a94cb024a0724e0cd5fa5e38"}, {"name": "https://github.com/ErugoOSS/Erugo/releases/tag/v0.2.15", "tags": ["x_refsource_MISC"], "url": "https://github.com/ErugoOSS/Erugo/releases/tag/v0.2.15"}], "affected": [{"vendor": "ErugoOSS", "product": "Erugo", "versions": [{"version": "< 0.2.15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T22:24:49.915Z"}, "descriptions": [{"lang": "en", "value": "Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user\u2011supplied paths when creating shares.\nBy specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue."}], "source": {"advisory": "GHSA-336w-hgpq-6369", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T16:00:06.947139Z", "id": "CVE-2026-24897", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T16:54:12.343Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24897", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-29T16:00:06.947139Z"}}}], "references": [{"url": "https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T16:00:10.666Z"}}], "cna": {"title": "Authenticated Remote Code Execution via Arbitrary File Upload", "source": {"advisory": "GHSA-336w-hgpq-6369", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ErugoOSS", "product": "Erugo", "versions": [{"status": "affected", "version": "< 0.2.15"}]}], "references": [{"url": "https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369", "name": "https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ErugoOSS/Erugo/commit/256bc63831a0b5e9a94cb024a0724e0cd5fa5e38", "name": "https://github.com/ErugoOSS/Erugo/commit/256bc63831a0b5e9a94cb024a0724e0cd5fa5e38", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ErugoOSS/Erugo/releases/tag/v0.2.15", "name": "https://github.com/ErugoOSS/Erugo/releases/tag/v0.2.15", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user\u2011supplied paths when creating shares.\nBy specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T22:24:49.915Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24897", "state": "PUBLISHED", "dateUpdated": "2026-01-29T16:54:12.343Z", "dateReserved": "2026-01-27T19:35:20.529Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-28T22:24:49.915Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:erugo:erugo:*:*:*:*:*:*:*:*", "matchCriteriaId": "C29B289E-C12B-4F99-9844-9DF9CAB57CAD", "versionEndIncluding": "0.2.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user\u2011supplied paths when creating shares.\nBy specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue."}], "id": "CVE-2026-24897", "lastModified": "2026-02-09T15:32:42.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-28T23:15:51.270", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ErugoOSS/Erugo/commit/256bc63831a0b5e9a94cb024a0724e0cd5fa5e38"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ErugoOSS/Erugo/releases/tag/v0.2.15"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:37:40.074292+00:00", "value": {"mitigation_remediation": ["Upgrade Erugo to version 0.2.15 or later to apply the vendor patch that validates share paths and removes the upload vulnerability.", "If an upgrade cannot be performed immediately, limit the set of directories that can receive uploads and enforce strict directory checks on the server side to prevent placement of files outside approved locations.", "Configure the web server to deny execution permissions on the public web root and any upload directories, ensuring that even if malicious files are deposited, they cannot be executed."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Erugo (provided by ErugoOSS) and all releases up to and including version 0.2.14 are vulnerable. Version 0.2.15 contains a fix and removes the path validation flaw.", "description_and_impact": "An authenticated, low\u2011privileged user can upload arbitrary files to any location within the Erugo instance because the application does not properly validate user\u2011supplied paths when creating shares. The vulnerability is a classic path traversal and arbitrary file upload flaw, corresponding to CWEs 22, 434, and 94. An attacker who exploits it can place executable code in the public web root and trigger its execution, which results in full compromise of the affected Erugo instance, allowing the attacker to execute commands, exfiltrate data, or alter system configuration.", "risk_and_exploitability": "The vulnerability scores a base CVSS of 10.0, indicating critical impact, while the EPSS score is below 1%, implying low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local to the web application, requiring only an authenticated low\u2011privileged user account to create a share with a specified path, and to construct a path that places a file under a writable location within the web root. Exploitation therefore requires legitimate login credentials and the ability to control the share path. If an attacker can obtain or compromise these credentials, the risk escalates sharply to complete server compromise."}}}}, "created": "2026-01-29T09:08:50.865536+00:00", "updated": "2026-04-18T14:45:03.135310+00:00", "vendors": ["erugooss", "erugooss$PRODUCT$erugo"]}