Vulnerability Details CVE-2026-24897
Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares.
By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 36.9%
CVSS Severity
CVSS v3 Score 10.0
References
Products affected by CVE-2026-24897
-
cpe:2.3:a:erugo:erugo:0.0.001
-
cpe:2.3:a:erugo:erugo:0.0.002
-
cpe:2.3:a:erugo:erugo:0.0.003
-
cpe:2.3:a:erugo:erugo:0.0.004
-
cpe:2.3:a:erugo:erugo:0.0.005
-
cpe:2.3:a:erugo:erugo:0.0.005-g
-
cpe:2.3:a:erugo:erugo:0.0.005-n
-
cpe:2.3:a:erugo:erugo:0.0.006
-
cpe:2.3:a:erugo:erugo:0.0.006b
-
cpe:2.3:a:erugo:erugo:0.0.007
-
cpe:2.3:a:erugo:erugo:0.0.008
-
cpe:2.3:a:erugo:erugo:0.0.009
-
cpe:2.3:a:erugo:erugo:0.0.010
-
cpe:2.3:a:erugo:erugo:0.0.011
-
cpe:2.3:a:erugo:erugo:0.1.1
-
cpe:2.3:a:erugo:erugo:0.2.0
-
cpe:2.3:a:erugo:erugo:0.2.14