Vulnerability Description
Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Erugo | Erugo | <= 0.2.14 |
Related Weaknesses (CWE)
References
- https://github.com/ErugoOSS/Erugo/commit/256bc63831a0b5e9a94cb024a0724e0cd5fa5e3Patch
- https://github.com/ErugoOSS/Erugo/releases/tag/v0.2.15Release Notes
- https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369ExploitVendor Advisory
- https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369ExploitVendor Advisory
FAQ
What is CVE-2026-24897?
CVE-2026-24897 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient vali...
How severe is CVE-2026-24897?
CVE-2026-24897 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-24897?
Check the references section above for vendor advisories and patch information. Affected products include: Erugo Erugo.