Lucene search
K

89 matches found

OSV
OSV
added 6 days ago2 views

GHSA-MM6C-5J6X-HQ8M Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename

Summary Algernon selects its file handler from filepath.Ext engine/handlers.go:134, which does not treat the NTFS-equivalent names x.lua::$DATA, x.lua., or x.lua as .lua. On Windows, an unauthenticated client appends one of these suffixes to any server-side script on a public path and receives it...

8.7CVSS5.9AI score0.00077EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 6 days ago11 views

PT-2026-55477

Name of the Vulnerable Software and Affected Versions Algernon version 1.17.8 Description On Windows hosts using the NTFS filesystem, an unauthenticated client can retrieve the raw source code of server-side scripts such as .lua, .tl, .po2, .amber, or .frm located on public paths. This occurs...

8.7CVSS6.1AI score0.00077EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/23 9:49 p.m.15 views

EUVD-2026-31881

Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir...

8.2CVSS5.8AI score0.00335EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:29 p.m.16 views

CVE-2026-46430

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553"...

4.3CVSS5.5AI score0.00197EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:29 p.m.16 views

CVE-2026-46431

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...

4.3CVSS5.4AI score0.00219EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:23 p.m.11 views

CVE-2026-43981

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push and L.PCall execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state...

8.2CVSS5.5AI score0.00182EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:23 p.m.11 views

CVE-2026-43982

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn in lua/upload/upload.go uses filepath.Join with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This...

8.7CVSS5.4AI score0.00344EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.11 views

CVE-2026-45721

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute a...

9CVSS6.4AI score0.00437EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.10 views

CVE-2026-45728

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error respon...

7.5CVSS5.5AI score0.00303EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:13 p.m.9 views

CVE-2026-48126

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...

8.2CVSS5.6AI score0.00335EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/26 6:40 p.m.9 views

Race Condition

Overview github.com/xyproto/algernon/engine is a Affected versions of this package are vulnerable to Race Condition. in the handle process due to the sync.RWMutex being released before L.Push and L.PCall execute. An attacker can cause Lua VM corruption or unpredictable server behavior by making...

8.2CVSS5.8AI score0.00182EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/26 6:40 p.m.9 views

Exposure of Resource to Wrong Sphere

Overview Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere via the engine/flags.go process, which causes the SSE event server to bind to all network interfaces by default on Linux and macOS. An attacker can access sensitive event data by connecting to the...

5.3CVSS5.8AI score0.00197EPSS
Exploits0References2
NVD
NVD
added 2026/05/26 5:16 p.m.28 views

CVE-2026-48126

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...

8.2CVSS0.00335EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 5:16 p.m.18 views

CVE-2026-46431

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...

4.3CVSS0.00219EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 5:16 p.m.12 views

CVE-2026-46430

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553"...

4.3CVSS0.00197EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 5:16 p.m.15 views

CVE-2026-45728

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error respon...

7.5CVSS0.00303EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 5:16 p.m.18 views

CVE-2026-45721

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute a...

9CVSS0.00437EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 5:16 p.m.16 views

CVE-2026-43982

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn in lua/upload/upload.go uses filepath.Join with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This...

8.7CVSS0.00344EPSS
Exploits0References2
NVD
NVD
added 2026/05/26 5:16 p.m.20 views

CVE-2026-43981

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push and L.PCall execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state...

8.2CVSS0.00182EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/26 4:44 p.m.6 views

CVE-2026-48126

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...

8.2CVSS6AI score0.00335EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder