CVE-2026-24897

CriticalPublic PoC

Published: 28 January 2026

Published

28 January 2026

Modified

09 February 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0097 76.7th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares. By specifying a writable path…

within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses insufficient validation of user-supplied paths by requiring input validation to block path traversal and arbitrary file uploads.

AC-3 Access Enforcement good match

prevent

Enforces access control policies to prevent low-privileged users from writing files to unauthorized locations such as the public web root.

SI-9 Information Input Restrictions partial match

prevent

Restricts user-supplied path inputs to safe formats, lengths, and characters to mitigate path traversal attempts.

Security SummaryAI

CVE-2026-24897 affects Erugo, a self-hosted file-sharing platform, in versions up to and including 0.2.14. The vulnerability stems from insufficient validation of user-supplied paths during share creation, enabling an authenticated low-privileged user to upload arbitrary files to any specified location on the server. This flaw is classified under CWE-22 (Path Traversal), CWE-94 (Code Injection), and CWE-434 (Unrestricted Upload), with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

An attacker with low-privileged authenticated access can exploit this by specifying a writable path within the public web root, uploading and executing arbitrary code to achieve remote code execution (RCE). This grants full compromise of the Erugo instance, potentially leading to complete server control.

Erugo version 0.2.15 addresses the issue with a fix detailed in commit 256bc63831a0b5e9a94cb024a0724e0cd5fa5e38. Security practitioners should upgrade to this version immediately, as outlined in the GitHub Security Advisory GHSA-336w-hgpq-6369 and the v0.2.15 release notes.

Details

CWE(s): CWE-22 CWE-94 CWE-434

Affected Products

erugo

≤ 0.2.14

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Path traversal and unrestricted file upload in public-facing web application (Erugo) enables exploitation for RCE (T1190). Low-privileged access escalates to full server control via the vulnerability (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/ErugoOSS/Erugo/commit/256bc63831a0b5e9a94cb024a0724e0cd5fa5e38
Patch · security-advisories@github.com
https://github.com/ErugoOSS/Erugo/releases/tag/v0.2.15
Release Notes · security-advisories@github.com
https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0