CVE-2026-47277

Source
https://cve.org/CVERecord?id=CVE-2026-47277
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47277.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-47277
Aliases
  • GHSA-qrqj-p7hm-4m66
Published
2026-06-16T21:43:24.779Z
Modified
2026-07-08T08:13:48.539601208Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Runtipi: Unauthenticated arbitrary file read through app-store logo symlinks
Details

Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only the lexical path before Node reads the file, so a Git app store that contains metadata/logo.jpg as a symbolic link can cause Runtipi to read and return the symlink target. Because the endpoint is public and the symlink target may point outside the cloned repository, this can expose local files from the Runtipi container such as /data/.env, /data/state/seed, logs, or application files. This can disclose JWT secrets, service credentials, local configuration, and operational logs depending on the instance. The issue has been fixed in version 4.10.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47277.json",
    "cwe_ids": [
        "CWE-22",
        "CWE-59"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/runtipi/runtipi

Affected ranges

Type
GIT
Repo
https://github.com/runtipi/runtipi
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "4.9.1"
        },
        {
            "fixed": "4.10.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v4.*
v4.9.1
v4.9.1-beta.2
v4.9.1-beta.3
v4.9.2
v4.9.2-beta.1
v4.9.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47277.json"