Skip to main content

Algernon CVE-2026-43982

| EUVDEUVD-2026-31863 HIGH
Path Traversal (CWE-22)
2026-05-26 GitHub_M
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 09:46 vuln.today
Patch available
May 26, 2026 - 18:02 EUVD
CVSS changed
May 26, 2026 - 17:22 NVD
8.7 (HIGH)
CVE Published
May 26, 2026 - 16:30 nvd
UNKNOWN (no severity yet)

DescriptionGitHub Advisory

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This vulnerability is fixed in 1.17.6.

AnalysisAI

Path traversal in Algernon web server versions prior to 1.17.6 allows remote unauthenticated attackers to write uploaded files outside the intended directory by supplying a directory parameter containing ../ sequences. The flaw in uploadedFileSaveIn() within lua/upload/upload.go fails to validate the joined path after filepath.Join(), so a value like ../../../tmp resolves to /tmp on the host. No public exploit identified at time of analysis, and EPSS is very low (0.05%), but CISA SSVC flags the issue as automatable with partial technical impact.

Technical ContextAI

Algernon is a self-contained pure-Go web server developed by xyproto that embeds a Lua scripting environment for dynamic content. The vulnerable code path is the Lua-exposed uploadedFileSaveIn() helper in lua/upload/upload.go, which constructs a destination path using Go's filepath.Join(). filepath.Join() canonicalizes ../ segments but does not constrain the result to a base directory - a well-known CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) pitfall in Go file-handling code. Because no boundary check (e.g. comparing the cleaned path against a trusted prefix or using filepath.Rel) is performed before writing, a caller-controlled directory argument can escape the web root entirely.

RemediationAI

Upgrade to Algernon 1.17.6 or later, which is the vendor-released patch that adds boundary validation after the filepath.Join() in uploadedFileSaveIn(); see the advisory at https://github.com/xyproto/algernon/security/advisories/GHSA-2j2c-pv62-mmcp. Until the upgrade is deployed, audit any Lua handlers that call uploadedFileSaveIn() and hard-code or sanitize the directory argument so it cannot be influenced by request data - rejecting inputs containing '..' or non-ASCII path separators, or computing filepath.Rel against the intended root and refusing results that begin with '..'. As a deployment-level compensating control, run the Algernon process under a dedicated unprivileged user with a restricted filesystem view (chroot, containers with read-only mounts, or systemd ProtectSystem/ReadOnlyPaths), accepting the trade-off that legitimate upload targets outside the web root will also be blocked.

Share

CVE-2026-43982 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy