CVE-2026-48126

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...

CVE-2026-48126

Algernon, a small self-contained pure-Go web server, is vulnerable prior to version 1.17.8 when started with --domain (or --letsencrypt). The request handler resolves the served directory by joining the configured --dir with the client-supplied Host header using filepath.Join without validation, ...

CVE-2026-48126 Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...

CVE-2026-48126 Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...

PT-2026-43308

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...

algernon 安全漏洞

Algernon is a web server developed by Alexander F. Rødseth. Versions of Algernon prior to 1.17.8 contained security vulnerabilities. These vulnerabilities stemmed from path traversal via the Host header when using the --domain option, potentially allowing arbitrary file reading, directory listing...

CVE-2026-42214 Improper Control of Generation of Code ('Code Injection') in dail8859/NotepadNext

Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which...

CVE-2026-2331

An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access witho...

EUVD-2026-10025

An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access witho...

POC-APISIX-RCE

Apache APISIX - Remote Code Execution Admin API script inject...

CVE-2018-4031

An exploitable vulnerability exists in the safe browsing function of the CUJO Smart Firewall, version 7003. The flaw lies in the way the safe browsing function parses HTTP requests. The server hostname is extracted from captured HTTP/HTTPS requests and inserted as part of a Lua statement without...

RLSA-2025:19345 Important: redis:7 security update

Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, ...

redis:7 security update

An update is available for module.redis, redis. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Redis is an advanced key-value store. It is often referred to as ...

SUSE CVE-2025-12120

Lite XL versions 2.1.8 and prior automatically execute the .liteproject.lua file when opening a project directory, without prompting the user for confirmation. The .liteproject.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow...

RLSA-2025:19237 Important: redis security update

Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, ...

Suricata 安全漏洞

Suricata is a suite of network Intrusion Detection Systems IDS, Intrusion Prevention Systems IPS, and network security monitoring engines developed by the Open Information Security Foundation OISF and its supported vendors, which supports multi-threading, built-in IPv6, and the ability to load...