CVE-2026-24897 is a critical security vulnerability identified in Erugo, an open-source, self-hosted file-sharing platform. The flaw exists in versions up to and including 0.2.14 and arises due to improper validation of user-supplied file paths when creating shares. Specifically, the application fails to properly restrict pathname inputs, allowing an authenticated user with low privileges to specify arbitrary writable paths on the server filesystem. By exploiting this path traversal weakness (CWE-22), an attacker can upload arbitrary files, including malicious scripts, to locations within the public web root. This leads to remote code execution (RCE) as the attacker can execute uploaded code on the server, fully compromising the Erugo instance. The vulnerability also relates to CWE-94 (code injection) and CWE-434 (unrestricted file upload). The exploit requires no elevated privileges beyond basic authentication and no user interaction, making it highly exploitable remotely. The vendor addressed the issue in version 0.2.15 by implementing proper path validation and restrictions. No public exploit code or active exploitation has been reported yet, but the vulnerability’s characteristics and CVSS 3.1 score of 10.0 indicate a critical risk.

For European organizations using Erugo versions prior to 0.2.15, this vulnerability poses a severe risk of full system compromise. Attackers can leverage low-privileged accounts to gain remote code execution, potentially leading to data theft, service disruption, or lateral movement within internal networks. Given Erugo’s role as a file-sharing platform, sensitive corporate or personal data could be exposed or manipulated. The ability to execute arbitrary code also enables attackers to deploy ransomware, backdoors, or pivot to other critical infrastructure. This threat is particularly impactful for organizations with strict data protection requirements under GDPR, as breaches could result in regulatory penalties and reputational damage. The lack of required elevated privileges or user interaction lowers the barrier for exploitation, increasing the likelihood of attacks if vulnerable instances are exposed to the internet or accessible by untrusted users.

European organizations should immediately upgrade all Erugo instances to version 0.2.15 or later, where the vulnerability is patched. Until upgrades are completed, restrict access to the Erugo platform to trusted users and networks only, employing network segmentation and firewall rules to limit exposure. Implement strict authentication and monitoring to detect unusual file upload activities or path traversal attempts. Conduct thorough audits of existing file shares and uploaded content to identify any unauthorized files or code. Employ application-layer security controls such as Web Application Firewalls (WAFs) configured to detect and block path traversal and code injection patterns. Additionally, enforce the principle of least privilege on user accounts to minimize potential damage from compromised low-privileged users. Regularly review and update incident response plans to include scenarios involving file upload and RCE attacks.