CVE-2026-25116HIGH 8.8EPSS p42.5%

CVE-2026-25116CVE-2026-25116

Description

Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.57% probability of exploitation · percentile 42.5% · 2026-06-18T12:00:27Z
Published2026-01-29
Last modified2026-02-26

Underlying weaknesses· 2

CWE-22CWE-306

References

  1. https://github.com/runtipi/runtipi/releases/tag/v4.7.2
  2. https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6

2

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-24129
CVE
CVE-2026-31881
CVE
CVE-2026-32729
CVE
CVE-2025-54386
CVE
CVE-2025-59156
CVE
CVE-2025-34159
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.