Xyproto Algernon vulnerabilities
7 known vulnerabilities affecting xyproto/algernon.
Total CVEs
7
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH4MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2026-45721P2CRITICALCVSS 9.0fixed in 1.17.72026-05-26
CVE-2026-45721 [CRITICAL] CWE-20 CVE-2026-45721: Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for a
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after
nvd
CVE-2026-48126P3HIGHCVSS 8.2fixed in 1.17.82026-05-26
CVE-2026-48126 [HIGH] CWE-22 CVE-2026-48126: Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started wit
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath
nvd
CVE-2026-43982P3HIGHCVSS 8.7fixed in 1.17.62026-05-26
CVE-2026-43982 [HIGH] CWE-22 CVE-2026-43982: Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/
Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This vulnerability is fixed in 1.17.6.
nvd
CVE-2026-45728P3HIGHCVSS 7.5fixed in 1.17.72026-05-26
CVE-2026-45728 [HIGH] CWE-209 CVE-2026-45728: Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked wit
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error response dumps the absolute path of the file that errored, com
nvd
CVE-2026-43981P3HIGHCVSS 8.2fixed in 1.17.62026-05-26
CVE-2026-43981 [HIGH] CWE-362 CVE-2026-43981: Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the
Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state causing Lua VM corruption. The Go race detector conf
nvd
CVE-2026-46431P4MEDIUMCVSS 4.3fixed in 1.17.72026-05-26
CVE-2026-46431 [MEDIUM] CWE-942 CVE-2026-46431: Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Acces
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits ope
nvd
CVE-2026-46430P4MEDIUMCVSS 4.3fixed in 1.17.72026-05-26
CVE-2026-46430 [MEDIUM] CWE-668 CVE-2026-46430: Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound t
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort("", ":5553") resolves to ":5553". This vulnerability is fixed in 1.17.7.
nvd