CVE-2026-24897

### 1. Plain-Language Summary This vulnerability allows a low-privileged user (e.g., an account with basic permissions) on the Erugo file-sharing platform to upload malicious files to sensitive server locations by manipulating file paths during sharing. Attackers can exploit this to upload web shells or scripts to the server’s public web directory, enabling full remote control of the system. ### 2. Affected Products/Versions - **Product**: Erugo (self-hosted file-sharing platform). - **Affected Versions**: All versions **up to and including 0.2.14**. - **Fixed Version**: 0.2.15 (and later). ### 3. Attacker’s Exploit Impact If exploited, an attacker could: - **Execute arbitrary code** (e.g., run commands, install malware, or access/steal sensitive data). - **Fully compromise the server**, including all files, user data, and hosted content. - **Lateral movement**: Use the compromised server to attack other internal systems. ### 4. Recommended Remediation - **Immediate Action**: Upgrade Erugo to **version 0.2.15 or later** (the patched version). - **Workaround (if upgrade isn’t immediate)**: Restrict web-root write permissions to low-privileged users and block unauthorized file path traversal via WAF rules (e.g., detect path patterns like `../`). - **Validation**: After patching, verify that low-privileged users can no longer upload files outside designated directories.