{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T17:52:17.269","vulnerabilities":[{"cve":{"id":"CVE-2026-25116","sourceIdentifier":"security-advisories@github.com","published":"2026-01-29T22:15:56.110","lastModified":"2026-02-26T21:36:19.427","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability."},{"lang":"es","value":"Runtipi es un orquestador personal de servidor doméstico. A partir de la versión 4.5.0 y antes de la versión 4.7.2, una vulnerabilidad de salto de ruta no autenticada en el 'UserConfigController' permite a cualquier usuario remoto sobrescribir el archivo de configuración 'docker-compose.yml' del sistema. Al explotar el análisis URN inseguro, un atacante puede reemplazar la configuración de pila principal con una maliciosa, lo que resulta en una ejecución remota de código (RCE) completa y compromiso del sistema de archivos del host la próxima vez que el operador reinicie la instancia. La versión 4.7.2 corrige la vulnerabilidad."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":4.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"},{"lang":"en","value":"CWE-306"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:runtipi:runtipi:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5.0","versionEndExcluding":"4.7.2","matchCriteriaId":"5DE14B0D-E9DF-4F18-BEC4-6603D6B645A7"}]}]}],"references":[{"url":"https://github.com/runtipi/runtipi/releases/tag/v4.7.2","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}