Erugo · Erugo · CVE-2026-24897
**Name of the Vulnerable Software and Affected Versions**
Erugo versions up to and including 0.2.14
**Description**
Erugo is a self-hosted file-sharing platform. An authenticated, low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user-supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This allows a low-privileged user to fully compromise the affected Erugo instance. The vulnerability is triggered through insufficient validation of paths used when creating shares. The vulnerable component allows attackers to upload files to arbitrary locations, potentially leading to the execution of malicious code.
**Recommendations**
Versions prior to 0.2.15 are affected.
Update to version 0.2.15 to address the vulnerability.