QSearchQSearch

CVE-2026-48126

8.2 HIGH

Algernon is a small self-contained pure-Go web server

Published: 2026-05-26 · Last updated: 2026-05-26

Severity and scoring

CVSS
8.2 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE
CWE-22, CWE-23, CWE-644

Description

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-47368 A malicious actor with access to the network could exploit a Path Traversal vulnerability found in certain devices running UniFi OS to ob... (8.6 HIGH)
  • CVE-2026-45171 Incomplete input validation and improperly configured folder permissions within Idira Privileged Session Manager (PSM) versions prior to ...
  • CVE-2025-24268 A parsing issue in the handling of directory paths was addressed with improved path validation (5.5 MEDIUM)
  • CVE-2026-49982 tmp is a temporary file and directory creator for node.js (8.2 HIGH)
  • CVE-2026-44705 tmp is a temporary file and directory creator for node.js