CVE-2026-24129

Name of the Vulnerable Software and Affected Versions Runtipi versions 3.7.0 through 4.6.9

Description Runtipi is a Docker-based, personal homeserver orchestrator. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server. This occurs because the BackupManager does not sanitize filenames of uploaded backups, leading to the persistence of user-uploaded files directly to the host filesystem using the original filename provided in the request. An attacker can stage a file containing shell metacharacters at a predictable path, which is then referenced during the restore process, allowing for command execution. The BackupManager is the component affected. The vulnerable operation involves the storage and restoration of backup files.

Recommendations Update to version 4.7.0 or later.