CVE-2026-48126
published 2026-05-26CVE-2026-48126: Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on…
PriorityP354high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
0.34%
25.3th percentile
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | xyproto_algernon | >= 0 < 1.17.8 | 1.17.8 |
| xyproto | algernon | < 1.17.8 | 1.17.8 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
xyproto algernon up to 1.17.7 engine/flags.go path traversal (GHSA-jc3j-x6pg-4hmv / EUVD-2026-31881)
vuldb·2026-06-24·CVSS 8.2
CVE-2026-48126 [HIGH] xyproto algernon up to 1.17.7 engine/flags.go path traversal (GHSA-jc3j-x6pg-4hmv / EUVD-2026-31881)
A vulnerability has been found in xyproto algernon up to 1.17.7 and classified as critical. Impacted is an unknown function of the file engine/flags.go. The manipulation leads to path traversal.
This vulnerability is documented as CVE-2026-48126. The attack can be initiated remotely. There is not any exploit available.
The affected component should be upgraded.
GHSA
Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir
ghsa·2026-06-23
CVE-2026-48126 [HIGH] CWE-22 Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir
Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir
### Summary
When algernon is started with `--domain` (or `--letsencrypt`, which silently turns on `--domain` at `engine/flags.go:372`), the request handler resolves the served directory by joining the configured `--dir` with the value of the client-supplied `Host` header. The join is performed by `filepath.Join` with no validation, so a `Host: ..` header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any `.lua` file is present, server-side Lua execution. Algernon 1.17.7 and earlier are affected.
### Details
`engine/handlers.go` (function `RegisterHandlers`, around line
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-26
Published