VYPR
Unrated severityOSV Advisory· Published Jan 28, 2026· Updated Jan 29, 2026

Authenticated Remote Code Execution via Arbitrary File Upload

CVE-2026-24897

Description

Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Erugooss/ErugoOSV2 versions
    v0.0.001, v0.0.002, v0.0.003, …+ 1 more
    • (no CPE)range: v0.0.001, v0.0.002, v0.0.003, …
    • (no CPE)range: <=0.2.14

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.