CVE-2026-24897 PUBLISHED

Authenticated Remote Code Execution via Arbitrary File Upload

Assigner: GitHub_M
Reserved: 27.01.2026 Published: 28.01.2026 Updated: 29.01.2026

Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 10

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	ErugoOSS
Product	Erugo
Versions	Version < 0.2.15 is affected

References

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
CWE-94: Improper Control of Generation of Code ('Code Injection') CWE
CWE-434: Unrestricted Upload of File with Dangerous Type CWE