CVE-2026-48126

Summary

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with –domain (or –letsencrypt, which silently turns on –domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured –dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8.

Affected Software

VendorProductVersion RangeStatus
xyprotoalgernon< 1.17.8affected

Weaknesses

  • CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-23: CWE-23: Relative Path Traversal
  • CWE-644: CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References