CVE-2026-46430

4.3 MEDIUM

Algernon is a small self-contained pure-Go web server

Published: 2026-05-26 · Last updated: 2026-05-26

Severity and scoring

CVSS: 4.3 MEDIUM
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-1188, CWE-668

Description

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort("", ":5553") resolves to ":5553". This vulnerability is fixed in 1.17.7.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-48096 — OpenFGA is an authorization/permission engine built for developers (5.0 MEDIUM)
CVE-2026-46517 — LMDeploy is a toolkit for compressing, deploying, and serving large language models (7.8 HIGH)
CVE-2026-42535 — A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV proper... (9.1 CRITICAL)
CVE-2026-36616 — Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS... (5.9 MEDIUM)
CVE-2026-36612 — Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 1... (6.4 MEDIUM)