Erugo RCE: When 'File Sharing' Includes Sharing Your Server Root
Vulnerability ID: CVE-2026-24897
CVSS Score: 10.0
Published: 2026-01-28
A critical vulnerability in Erugo, a self-hosted file-sharing platform, allows authenticated users to achieve Remote Code Execution (RCE) via path traversal. By manipulating file paths during bundle uploads or share creation, attackers can write malicious scripts (like web shells) directly to the web root, bypassing all intended restrictions.
TL;DR
Authenticated RCE in Erugo < 0.2.15. The application blindly trusted user-supplied file paths in upload manifests and share creation logic. An attacker can use ../../ sequences to escape the upload directory and write a PHP shell to the public web folder, resulting in full system compromise. Patch immediately.
⚠️ Exploit Status: POC
Technical Details
- CVE ID: CVE-2026-24897
- CVSS: 10.0 (Critical)
- Attack Vector: Network (Authenticated)
- CWE: CWE-22 (Path Traversal)
- Components: TusdHooksController, EmailTemplatesController
- Status: Patched in v0.2.15
Affected Systems
- Erugo (Self-Hosted File Sharing)
-
Erugo: <= 0.2.14 (Fixed in:
0.2.15)
Code Analysis
Commit: 256bc63
Fix path traversal vulnerabilities in multiple controllers
Exploit Details
- Hypothetical: Trivial reconstruction based on patch diff: sending traversal chars in JSON manifest.
Mitigation Strategies
- Input Sanitization
- Path Canonicalization
- WAF Filtering
Remediation Steps:
- Upgrade Erugo to version 0.2.15 or later immediately.
- Verify the integrity of the webroot by scanning for unexpected PHP or executable files.
- Disable open user registration if not strictly necessary until the patch is applied.
References
Read the full report for CVE-2026-24897 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)