CVE-2026-24129

Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/runtipi/runtipi/commit/c3aa948885554a370d374692158a3bfe1cfdc85a
https://github.com/runtipi/runtipi/releases/tag/v4.7.0
https://github.com/runtipi/runtipi/security/advisories/GHSA-vrgf-rcj5-6gv9

Configurations

No configuration.

History

No history.

Information

Published : 2026-01-22 23:15

Updated : 2026-01-26 15:04

NVD link : CVE-2026-24129

Mitre link : CVE-2026-24129

CVE.ORG link : CVE-2026-24129

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

8.0 /10