Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-24129

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-22 Jan, 2026 | 22:41
Updated At-23 Jan, 2026 | 20:05
Rejected At-
Credits

Runtipi is Vulnerable to Authenticated Arbitrary Remote Code Execution

Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:22 Jan, 2026 | 22:41
Updated At:23 Jan, 2026 | 20:05
Rejected At:
▼CVE Numbering Authority (CNA)
Runtipi is Vulnerable to Authenticated Arbitrary Remote Code Execution

Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0.

Affected Products
Vendor
runtipi
Product
runtipi
Versions
Affected
  • >= 3.7.0, < 4.7.0
Problem Types
TypeCWE IDDescription
CWECWE-78CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Type: CWE
CWE ID: CWE-78
Description: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
3.18.1HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/runtipi/runtipi/security/advisories/GHSA-vrgf-rcj5-6gv9
x_refsource_CONFIRM
https://github.com/runtipi/runtipi/commit/c3aa948885554a370d374692158a3bfe1cfdc85a
x_refsource_MISC
https://github.com/runtipi/runtipi/releases/tag/v4.7.0
x_refsource_MISC
Hyperlink: https://github.com/runtipi/runtipi/security/advisories/GHSA-vrgf-rcj5-6gv9
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/runtipi/runtipi/commit/c3aa948885554a370d374692158a3bfe1cfdc85a
Resource:
x_refsource_MISC
Hyperlink: https://github.com/runtipi/runtipi/releases/tag/v4.7.0
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:22 Jan, 2026 | 23:15
Updated At:26 Jan, 2026 | 15:04

Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.0HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-78Primarysecurity-advisories@github.com
CWE ID: CWE-78
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/runtipi/runtipi/commit/c3aa948885554a370d374692158a3bfe1cfdc85asecurity-advisories@github.com
N/A
https://github.com/runtipi/runtipi/releases/tag/v4.7.0security-advisories@github.com
N/A
https://github.com/runtipi/runtipi/security/advisories/GHSA-vrgf-rcj5-6gv9security-advisories@github.com
N/A
Hyperlink: https://github.com/runtipi/runtipi/commit/c3aa948885554a370d374692158a3bfe1cfdc85a
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/runtipi/runtipi/releases/tag/v4.7.0
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/runtipi/runtipi/security/advisories/GHSA-vrgf-rcj5-6gv9
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

6Records found
CVE-2019-14894
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8||HIGH
EPSS-2.48% / 84.96%
||
7 Day CHG~0.00%
Published-22 Jun, 2020 | 17:53
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in the CloudForms management engine version 5.10 and CloudForms management version 5.11, which triggered remote code execution through NFS schedule backup. An attacker logged into the management console could use this flaw to execute arbitrary shell commands on the CloudForms server as root.

Action-Not Available
Vendor-[UNKNOWN]Red Hat, Inc.
Product-cloudforms_management_engineCloudForms
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-10622
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8||HIGH
EPSS-0.11% / 29.94%
||
7 Day CHG~0.00%
Published-05 Nov, 2025 | 07:32
Updated-06 Feb, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foreman: os command injection via ct_location and fcct_location parameters

A flaw was found in Red Hat Satellite (Foreman component). This vulnerability allows an authenticated user with edit_settings permissions to achieve arbitrary command execution on the underlying operating system via insufficient server-side validation of command whitelisting.

Action-Not Available
Vendor-The ForemanRed Hat, Inc.
Product-Red Hat Satellite 6.18 for RHEL 9Red Hat Satellite 6.16 for RHEL 8Red Hat Satellite 6.17 for RHEL 9ForemanRed Hat Satellite 6.16 for RHEL 9Red Hat Satellite 6.15 for RHEL 8Red Hat Satellite 6
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-59518
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.07% / 21.81%
||
7 Day CHG-0.12%
Published-17 Sep, 2025 | 00:00
Updated-17 Sep, 2025 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In LemonLDAP::NG before 2.16.7 and 2.17 through 2.21 before 2.21.3, OS command injection can occur in the Safe jail. It does not Localize _ during rule evaluation. Thus, an administrator who can edit a rule evaluated by the Safe jail can execute commands on the server.

Action-Not Available
Vendor-lemonldap-ng
Product-LemonLDAP::NG
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-58763
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.37% / 58.39%
||
7 Day CHG+0.04%
Published-09 Sep, 2025 | 20:13
Updated-18 Sep, 2025 | 20:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tautulli vulnerable to Authenticated Remote Code Execution via Command Injection

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. A command injection vulnerability in Tautulli v2.15.3 and prior allows attackers with administrative privileges to obtain remote code execution on the application server. This vulnerability requires the application to have been cloned from GitHub and installed manually. When Tautulli is cloned directly from GitHub and installed manually, the application manages updates and versioning through calls to the `git` command. In the code, this is performed through the `runGit` function in `versioncheck.py`. Since `shell=True` is passed to `subproces.Popen`, this call is vulnerable to subject to command injection, as shell characters within arguments will be passed to the underlying shell. A concrete location where this can be triggered is in the `checkout_git_branch` endpoint. This endpoint stores a user-supplied remote and branch name into the `GIT_REMOTE` and `GIT_BRANCH` configuration keys without sanitization. Downstream, these keys are then fetched and passed directly into `runGit` using a format string. Hence, code execution can be obtained by using `$()` interpolation in a command. Version 2.16.0 contains a fix for the issue.

Action-Not Available
Vendor-tautulliTautulli
Product-tautulliTautulli
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-29841
Matching Score-4
Assigner-Western Digital
ShareView Details
Matching Score-4
Assigner-Western Digital
CVSS Score-8||HIGH
EPSS-0.38% / 59.05%
||
7 Day CHG~0.00%
Published-10 May, 2023 | 21:04
Updated-24 Jan, 2025 | 21:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS Command Injection vulnerability in Western Digital My Cloud devices

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that was caused by a command that read files from a privileged location and created a system command without sanitizing the read data. This command could be triggered by an attacker remotely to cause code execution and gain a reverse shell in Western Digital My Cloud OS 5 devices.This issue affects My Cloud OS 5: before 5.26.119.

Action-Not Available
Vendor-Western Digital Corp.
Product-my_cloud_dl2100wd_cloudmy_cloudmy_cloud_ex4100my_cloud_ex2_ultramy_cloud_mirror_g2my_cloud_pr2100my_cloud_osmy_cloud_dl4100my_cloud_ex2100my_cloud_pr4100My Cloud OS 5
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-3874
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8||HIGH
EPSS-0.18% / 39.23%
||
7 Day CHG~0.00%
Published-22 Sep, 2023 | 13:56
Updated-24 Sep, 2024 | 15:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Os command injection via ct_command and fcct_command

A command injection flaw was found in foreman. This flaw allows an authenticated user with admin privileges on the foreman instance to transpile commands through CoreOS and Fedora CoreOS configurations in templates, possibly resulting in arbitrary command execution on the underlying operating system.

Action-Not Available
Vendor-n/aRed Hat, Inc.The Foreman
Product-satelliteforemanRed Hat Satellite 6foreman
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Details not found