CRITICAL🇵🇱 Wersja polska

CVE-2026-24897

CVSS 10.0v3.1pub. 2026-01-28upd. 2026-02-09

Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue.

🤖 AI Analysis
How it works

When creating a share, the application does not properly validate the target path specified by the user, which enables a path traversal attack. The attacker can specify a writable path within the public web root directory and upload any file there (e.g., a server script). A file uploaded in this way can then be executed by the web server, leading to remote code execution (RCE). As a result, a user with minimal privileges can gain full control over the Erugo instance.

Impact

The attacker can execute arbitrary code on the server, gaining full control over the Erugo instance, including access to stored data, and the ability to compromise the confidentiality, integrity, and availability of the system.

Mitigation & patch

Erugo should be updated to version 0.2.15, which eliminates the described vulnerability. The appropriate commit (256bc63831a0b5e9a94cb024a0724e0cd5fa5e38) and official release v0.2.15 are available in the vendor's repository.

Who is affected

Erugo in versions up to and including 0.2.14 (self-hosted). Any user account in the application is required.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Erugo

    APP
    Erugo
    ≤ 0.2.14
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References