CVE-2026-24897

CriticalPublic PoCRCE

Published: 28 January 2026

Published

28 January 2026

Modified

09 February 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0097 76.8th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24897 is a critical-severity Path Traversal (CWE-22) vulnerability in Erugo Erugo. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses insufficient validation of user-supplied paths by requiring input validation to block path traversal and arbitrary file uploads.

AC-3 Access Enforcement good match

prevent

Enforces access control policies to prevent low-privileged users from writing files to unauthorized locations such as the public web root.

SI-9 Information Input Restrictions partial match

prevent

Restricts user-supplied path inputs to safe formats, lengths, and characters to mitigate path traversal attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Path traversal and unrestricted file upload in public-facing web application (Erugo) enables exploitation for RCE (T1190). Low-privileged access escalates to full server control via the vulnerability (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares. By specifying a writable path…

within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue.

Deeper analysisAI

CVE-2026-24897 affects Erugo, a self-hosted file-sharing platform, in versions up to and including 0.2.14. The vulnerability stems from insufficient validation of user-supplied paths during share creation, enabling an authenticated low-privileged user to upload arbitrary files to any specified location on the server. This flaw is classified under CWE-22 (Path Traversal), CWE-94 (Code Injection), and CWE-434 (Unrestricted Upload), with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

An attacker with low-privileged authenticated access can exploit this by specifying a writable path within the public web root, uploading and executing arbitrary code to achieve remote code execution (RCE). This grants full compromise of the Erugo instance, potentially leading to complete server control.

Erugo version 0.2.15 addresses the issue with a fix detailed in commit 256bc63831a0b5e9a94cb024a0724e0cd5fa5e38. Security practitioners should upgrade to this version immediately, as outlined in the GitHub Security Advisory GHSA-336w-hgpq-6369 and the v0.2.15 release notes.