cbcvebase.
CVE-2026-46431
published 2026-05-26

CVE-2026-46431: Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the…

PriorityP422medium4.3CVSS 3.1
AVNACLPRNUIRSUCLINAN
EPSS
0.22%
12.3th percentile
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comxyproto_algernon>= 0 < 1.17.71.17.7
xyprotoalgernon< 1.17.71.17.7
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.