6.5

CVE-2026-47277

Runtipi: Unauthenticated arbitrary file read through app-store logo symlinks

Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only the lexical path before Node reads the file, so a Git app store that contains metadata/logo.jpg as a symbolic link can cause Runtipi to read and return the symlink target. Because the endpoint is public and the symlink target may point outside the cloned repository, this can expose local files from the Runtipi container such as /data/.env, /data/state/seed, logs, or application files. This can disclose JWT secrets, service credentials, local configuration, and operational logs depending on the instance. The issue has been fixed in version 4.10.0.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerruntipi
Produkt runtipi
Version >= 4.9.1, < 4.10.0
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.4% 0.314
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
a0819718-46f1-4df5-94e2-005712e83aaa 6.5 0 0
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://github.com/runtipi/runtipi/security/advisories/GHSA-qrqj-p7hm-4m66
x_refsource_CONFIRM
https://github.com/runtipi/runtipi/releases/tag/v4.10.0
x_refsource_MISC