ByteOS Network

NVD Vulnerability Details :

CVE-2026-24129

Awaiting Analysis

Source-security-advisories@github.com

Published At-22 Jan, 2026 | 23:15

Updated At-26 Jan, 2026 | 15:04

Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	8.0	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 8.0

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Weaknesses

CWE ID	Type	Source
CWE-78	Primary	security-advisories@github.com

CWE ID: CWE-78

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/runtipi/runtipi/commit/c3aa948885554a370d374692158a3bfe1cfdc85a	security-advisories@github.com	N/A
https://github.com/runtipi/runtipi/releases/tag/v4.7.0	security-advisories@github.com	N/A
https://github.com/runtipi/runtipi/security/advisories/GHSA-vrgf-rcj5-6gv9	security-advisories@github.com	N/A