CVE-2026-24129

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-24129
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24129.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-24129
Aliases
  • GHSA-vrgf-rcj5-6gv9
Published
2026-01-22T22:41:28.993Z
Modified
2026-01-28T05:49:52.634521Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Runtipi is Vulnerable to Authenticated Arbitrary Remote Code Execution
Details

Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0.

Database specific 
{
    "cwe_ids": [
        "CWE-78"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24129.json"
}
References

Affected packages

Git / github.com/runtipi/runtipi

Affected ranges

Type
GIT
Repo
https://github.com/runtipi/runtipi
Events
Introduced
6593089f8f7eefe75f398dc2cd1dd56b5477b4e3
Fixed
62e735e4ca1b3788a7494314b8ca7a80f65254e0

Affected versions

Other
e2e
v3.*
v3.10.0
v3.10.0-beta.1
v3.10.0-beta.2
v3.10.0-beta.3
v3.10.0-beta.4
v3.10.0-beta.9
v3.7.0
v3.7.1
v3.7.1-beta.1
v3.7.1-beta.2
v3.7.1-beta.3
v3.7.2
v3.7.2-beta.1
v3.7.3
v3.7.3-beta.1
v3.7.4
v3.7.5
v3.8.0
v3.8.0-beta.1
v3.8.0-beta.2
v3.8.1
v3.8.2
v3.8.2-alpha.1
v3.8.3
v3.8.3-alpha.1
v3.8.3-alpha.2
v3.8.3-beta.1
v3.8.3-beta.2
v3.8.3-beta.3
v3.8.3-beta.4
v3.8.3-beta.5
v3.8.3-beta.6
v3.8.4
v3.8.4-alpha.1
v3.8.4-alpha.2
v3.8.4-alpha.3
v3.8.4-beta.1
v3.9.0
v3.9.0-alpha.1
v3.9.0-alpha.2
v3.9.0-beta.1
v3.9.0-beta.2
v3.9.0-beta.3
v3.9.0-beta.4
v3.9.1
v3.9.2
v3.9.2-beta.1
v3.9.2-beta.2
v3.9.3
v3.9.3-beta.1
v3.9.3-beta.2
v3.9.3-beta.3
v3.9.4
v3.9.4-beta.1
v3.9.4-beta.2
v3.9.4-beta.3
v3.9.4-beta.4
v3.9.4-beta.5
v3.9.5-beta.1
v4.*
v4.0.0
v4.0.0-alpha.1
v4.0.0-alpha.2
v4.0.0-beta.1
v4.0.0-beta.10
v4.0.0-beta.11
v4.0.0-beta.12
v4.0.0-beta.13
v4.0.0-beta.2
v4.0.0-beta.3
v4.0.0-beta.4
v4.0.0-beta.5
v4.0.0-beta.6
v4.0.0-beta.7
v4.0.0-beta.8
v4.0.0-beta.9
v4.0.1
v4.0.2
v4.0.3
v4.0.3-beta.1
v4.1.0
v4.1.0-alpha.1
v4.1.0-alpha.2
v4.1.0-beta.1
v4.1.0-beta.2
v4.1.1
v4.1.1-alpha.1
v4.1.1-alpha.2
v4.1.1-alpha.3
v4.1.2-alpha.1
v4.2.0
v4.2.0-beta.1
v4.2.0-beta.2
v4.2.0-beta.3
v4.2.0-beta.4
v4.2.1
v4.3.0
v4.3.0-beta.1
v4.3.0-beta.2
v4.4.0
v4.4.0-alpha.1
v4.4.0-beta.1
v4.4.0-beta.2
v4.4.0-beta.3
v4.4.0-beta.4
v4.4.0-beta.6
v4.4.0-beta.7
v4.5.0
v4.5.0-beta.1
v4.5.0-beta.2
v4.5.0-beta.3
v4.5.0-beta.4
v4.5.0-beta.5
v4.5.0-beta.6
v4.5.0-beta.7
v4.5.1
v4.5.2
v4.5.2-alpha.1
v4.5.3
v4.5.4
v4.5.5
v4.6.0
v4.6.0-beta.1
v4.6.0-beta.2
v4.6.1
v4.6.2
v4.6.3
v4.6.3-beta.1
v4.6.3-beta.2
v4.6.4
v4.6.5
v4.7.0-alpha.1
v4.7.0-alpha.2
v4.7.0-beta.1
v4.7.0-beta.2
v4.7.0-beta.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24129.json"