Description
Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares.
By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue.
Published: 2026-01-28
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An authenticated, low‑privileged user can upload arbitrary files to any location within the Erugo instance because the application does not properly validate user‑supplied paths when creating shares. The vulnerability is a classic path traversal and arbitrary file upload flaw, corresponding to CWEs 22, 434, and 94. An attacker who exploits it can place executable code in the public web root and trigger its execution, which results in full compromise of the affected Erugo instance, allowing the attacker to execute commands, exfiltrate data, or alter system configuration.

Affected Systems

The affected product is Erugo (provided by ErugoOSS) and all releases up to and including version 0.2.14 are vulnerable. Version 0.2.15 contains a fix and removes the path validation flaw.

Risk and Exploitability

The vulnerability scores a base CVSS of 10.0, indicating critical impact, while the EPSS score is below 1%, implying low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local to the web application, requiring only an authenticated low‑privileged user account to create a share with a specified path, and to construct a path that places a file under a writable location within the web root. Exploitation therefore requires legitimate login credentials and the ability to control the share path. If an attacker can obtain or compromise these credentials, the risk escalates sharply to complete server compromise.

Generated by OpenCVE AI on April 18, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Erugo to version 0.2.15 or later to apply the vendor patch that validates share paths and removes the upload vulnerability.
  • If an upgrade cannot be performed immediately, limit the set of directories that can receive uploads and enforce strict directory checks on the server side to prevent placement of files outside approved locations.
  • Configure the web server to deny execution permissions on the public web root and any upload directories, ensuring that even if malicious files are deposited, they cannot be executed.

Generated by OpenCVE AI on April 18, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Erugo
Erugo erugo
CPEs cpe:2.3:a:erugo:erugo:*:*:*:*:*:*:*:*
Vendors & Products Erugo
Erugo erugo

Thu, 29 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Erugooss
Erugooss erugo
Vendors & Products Erugooss
Erugooss erugo

Wed, 28 Jan 2026 22:30:00 +0000

Type Values Removed Values Added
Description Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue.
Title Authenticated Remote Code Execution via Arbitrary File Upload
Weaknesses CWE-22
CWE-434
CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Erugo Erugo
Erugooss Erugo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-29T16:54:12.343Z

Reserved: 2026-01-27T19:35:20.529Z

Link: CVE-2026-24897

cve-icon Vulnrichment

Updated: 2026-01-29T16:00:10.666Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T23:15:51.270

Modified: 2026-02-09T15:32:42.827

Link: CVE-2026-24897

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:45:03Z

Weaknesses