Skip to main content

Algernon EUVDEUVD-2026-31881

| CVE-2026-48126 HIGH
Path Traversal (CWE-22)
2026-05-26 GitHub_M GHSA-jc3j-x6pg-4hmv
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 10:04 vuln.today
Patch available
May 26, 2026 - 18:02 EUVD

DescriptionGitHub Advisory

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory - arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8.

AnalysisAI

Path traversal in xyproto's Algernon web server prior to 1.17.8 lets unauthenticated remote attackers escape the document root via a crafted Host header when the server runs with --domain or --letsencrypt. Beyond arbitrary file read and directory listing, any reachable .lua file in the parent directory will be executed server-side, escalating disclosure into code execution. No public exploit is identified at time of analysis, but SSVC marks the issue as automatable with PoC and EPSS sits at the 20th percentile (0.07%).

Technical ContextAI

Algernon is a self-contained Go-based web server (CPE cpe:2.3:a:xyproto:algernon) that supports static content, Markdown, and embedded Lua scripting. When --domain is enabled (also implicitly via --letsencrypt at engine/flags.go:372), the request router constructs the on-disk path by passing the client-supplied Host header straight into filepath.Join with the configured --dir, with no normalization or containment check. filepath.Join cleans '..' segments but does not constrain the result to the base directory, which is the textbook CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) pattern. Because Algernon also resolves and executes .lua files it finds while serving, the same primitive that yields arbitrary file read becomes server-side script execution whenever the traversed directory contains Lua content.

RemediationAI

Vendor-released patch: upgrade to Algernon 1.17.8 or later, per the GHSA-jc3j-x6pg-4hmv advisory at https://github.com/xyproto/algernon/security/advisories/GHSA-jc3j-x6pg-4hmv. If immediate upgrade is not possible, run Algernon without --domain and without --letsencrypt so the vulnerable Host-header-based path resolution is bypassed - note this disables virtual-host routing and automatic TLS certificate issuance, so you will need to front Algernon with a reverse proxy (nginx, Caddy) that terminates TLS and supplies a fixed, validated Host. As an additional compensating control, place Algernon's --dir parent directory off any path that contains .lua files, and configure the upstream proxy to reject or normalize Host headers containing '..' or path-separator characters, which closes the specific traversal vector with no impact on legitimate clients.

Share

EUVD-2026-31881 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy