ErugoOSS Erugo is a self-hosted file-sharing platform that, in versions prior to 0.2.15, suffers from a critical path traversal vulnerability (CVE-2026-24897, CWE-22). The flaw arises from improper validation of user-supplied file paths when authenticated users create shares. Specifically, low-privileged users can specify arbitrary writable paths, including locations within the public web root, to upload files. This lack of path restriction enables attackers to upload malicious scripts or executables that the web server can then execute, resulting in remote code execution (RCE). The vulnerability also involves CWE-94 (Improper Control of Generation of Code) and CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating that uploaded files can contain executable code and are not properly sanitized. The CVSS 3.1 base score is 10.0 (critical), reflecting network attack vector, no required privileges or user interaction, and complete compromise of confidentiality, integrity, and availability with scope change. Although no known exploits are reported in the wild yet, the ease of exploitation and severity make this a critical threat. The issue is resolved in Erugo version 0.2.15 by enforcing proper path validation and restricting file upload locations.

For European organizations deploying ErugoOSS Erugo for internal or external file sharing, this vulnerability poses a severe risk. An attacker with a low-privileged authenticated account can fully compromise the server hosting Erugo, potentially gaining access to sensitive data, modifying or deleting files, and using the server as a foothold for lateral movement within the network. The ability to execute arbitrary code remotely can lead to data breaches, ransomware deployment, or disruption of services. Given the criticality and ease of exploitation, organizations face high risks to confidentiality, integrity, and availability. This is particularly concerning for sectors with strict data protection regulations such as GDPR, where unauthorized data access or service disruption can result in significant legal and financial penalties. The threat is amplified if Erugo instances are internet-facing or integrated with other critical infrastructure.

European organizations should immediately upgrade all ErugoOSS Erugo instances to version 0.2.15 or later, where the vulnerability is patched. Until upgrades are applied, restrict access to the application to trusted internal networks and enforce strict authentication controls to limit user accounts to only those necessary. Implement monitoring and alerting for suspicious file uploads or unusual web root modifications. Conduct thorough audits of existing file shares to detect any unauthorized files or code. Employ web application firewalls (WAFs) with rules to detect and block path traversal attempts. Additionally, segregate the Erugo server environment to minimize impact in case of compromise and regularly back up critical data to enable recovery. Educate administrators and users about the risks of uploading untrusted files and enforce least privilege principles for user accounts.