CVE-2026-24897

CRITICAL

erugo <= 0.2.14 - Authenticated Path Traversal and Remote Code Execution via Share Creation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-24897. PoCs published by abdulmoiz.

AI-analyzed exploit summary This exploit demonstrates an authenticated RCE vulnerability in Erugo <= 0.2.14 by uploading a malicious PHP file via the Tus protocol and leveraging a path traversal flaw to place the file in the web root, allowing command execution.

Description

Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue.

Exploits (1)

exploitdb WORKING POC
by abdulmoiz · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52529

This exploit demonstrates an authenticated RCE vulnerability in Erugo <= 0.2.14 by uploading a malicious PHP file via the Tus protocol and leveraging a path traversal flaw to place the file in the web root, allowing command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Erugo <= 0.2.14
Auth required
Prerequisites: valid user credentials · network access to the target
devstral-2 · analyzed May 01, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 10.0
EPSS 0.0301
EPSS Percentile 85.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-22 CWE-434 CWE-94
Status published
Products (1)
erugo/erugo < 0.2.14
Published Jan 28, 2026
Tracked Since Feb 18, 2026