Skip to main content

Algernon

4 CVEs product

Monthly

CVE-2026-48126 Go HIGH PATCH GHSA This Week

Path traversal in xyproto's Algernon web server prior to 1.17.8 lets unauthenticated remote attackers escape the document root via a crafted Host header when the server runs with --domain or --letsencrypt. Beyond arbitrary file read and directory listing, any reachable .lua file in the parent directory will be executed server-side, escalating disclosure into code execution. No public exploit is identified at time of analysis, but SSVC marks the issue as automatable with PoC and EPSS sits at the 20th percentile (0.07%).

Path Traversal Algernon
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-43981 HIGH PATCH This Week

Denial of service in Algernon web server versions prior to 1.17.6 stems from a race condition in the Lua handler engine where the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute on the non-goroutine-safe gopher-lua LState. Concurrent HTTP requests corrupt the shared Lua VM state, causing server instability. No public exploit identified at time of analysis, and EPSS is very low (0.04%), but reproduction is trivial under modest load (ab -n 1000 -c 100).

Information Disclosure Race Condition Algernon
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-43982 HIGH PATCH This Week

Path traversal in Algernon web server versions prior to 1.17.6 allows remote unauthenticated attackers to write uploaded files outside the intended directory by supplying a directory parameter containing ../ sequences. The flaw in uploadedFileSaveIn() within lua/upload/upload.go fails to validate the joined path after filepath.Join(), so a value like ../../../tmp resolves to /tmp on the host. No public exploit identified at time of analysis, and EPSS is very low (0.05%), but CISA SSVC flags the issue as automatable with partial technical impact.

Path Traversal Algernon
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2023-26131 Go MEDIUM POC This Month

All versions of the package github.com/xyproto/algernon/engine; all versions of the package github.com/xyproto/algernon/themes are vulnerable to Cross-site Scripting (XSS) via the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Algernon
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Path traversal in xyproto's Algernon web server prior to 1.17.8 lets unauthenticated remote attackers escape the document root via a crafted Host header when the server runs with --domain or --letsencrypt. Beyond arbitrary file read and directory listing, any reachable .lua file in the parent directory will be executed server-side, escalating disclosure into code execution. No public exploit is identified at time of analysis, but SSVC marks the issue as automatable with PoC and EPSS sits at the 20th percentile (0.07%).

Path Traversal Algernon
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial of service in Algernon web server versions prior to 1.17.6 stems from a race condition in the Lua handler engine where the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute on the non-goroutine-safe gopher-lua LState. Concurrent HTTP requests corrupt the shared Lua VM state, causing server instability. No public exploit identified at time of analysis, and EPSS is very low (0.04%), but reproduction is trivial under modest load (ab -n 1000 -c 100).

Information Disclosure Race Condition Algernon
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Path traversal in Algernon web server versions prior to 1.17.6 allows remote unauthenticated attackers to write uploaded files outside the intended directory by supplying a directory parameter containing ../ sequences. The flaw in uploadedFileSaveIn() within lua/upload/upload.go fails to validate the joined path after filepath.Join(), so a value like ../../../tmp resolves to /tmp on the host. No public exploit identified at time of analysis, and EPSS is very low (0.05%), but CISA SSVC flags the issue as automatable with partial technical impact.

Path Traversal Algernon
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

All versions of the package github.com/xyproto/algernon/engine; all versions of the package github.com/xyproto/algernon/themes are vulnerable to Cross-site Scripting (XSS) via the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Algernon
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy