Arbitrary Code Execution Vulnerability in Runtipi Docker-Based Personal Homeserver
CVE-2026-24129

8.1HIGH

Key Information:

Vendor

Runtipi

Status
Runtipi
Vendor
CVE Published:
22 January 2026

What is CVE-2026-24129?

Runtipi, a personal homeserver orchestrator running in Docker, is impacted by a critical flaw that allows an authenticated user to execute arbitrary system commands. This vulnerability arises from the BackupManager component, which fails to sanitize backup filenames uploaded by users. Attackers can exploit this weakness by injecting shell metacharacters into these filenames, enabling them to place malicious files in predictable locations on the host server. When these files are subsequently referenced during restore operations, the system may execute the injected commands. This issue underscores the importance of file validation and sanitization in backup management systems. The vulnerability has been resolved in version 4.7.0.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

runtipi >= 3.7.0, < 4.7.0

References

https://github.com/runtipi/runtipi/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/runtipi/runtipi/commit/c3aa948885554a3...
x_refsource_MISC
https://github.com/runtipi/runtipi/releases/tag/v4.7.0
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.