79 matches found
Race Condition
Overview github.com/xyproto/algernon/engine is a Affected versions of this package are vulnerable to Race Condition. in the handle process due to the sync.RWMutex being released before L.Push and L.PCall execute. An attacker can cause Lua VM corruption or unpredictable server behavior by making...
Exposure of Resource to Wrong Sphere
Overview Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere via the engine/flags.go process, which causes the SSE event server to bind to all network interfaces by default on Linux and macOS. An attacker can access sensitive event data by connecting to the...
CVE-2026-48126
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...
CVE-2026-46431
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...
CVE-2026-46430
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553"...
CVE-2026-45728
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error respon...
CVE-2026-45721
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute a...
CVE-2026-43982
Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn in lua/upload/upload.go uses filepath.Join with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This...
CVE-2026-43981
Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push and L.PCall execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state...
EUVD-2026-31881
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...
CVE-2026-48126
Algernon, a small self-contained pure-Go web server, is vulnerable prior to version 1.17.8 when started with --domain (or --letsencrypt). The request handler resolves the served directory by joining the configured --dir with the client-supplied Host header using filepath.Join without validation, ...
CVE-2026-48126
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...
CVE-2026-48126 Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...
CVE-2026-46431 Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...
CVE-2026-46431
CVE-2026-46431 affects Algernon’s SSE event server prior to version 1.17.7, where Access-Control-Allow-Origin was hardcoded to “*”. This allowed cross-origin EventSource connections to read the live filename stream, compromising confidentiality. The issue is fixed in 1.17.7; upgrading to that ver...
CVE-2026-46431
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...
CVE-2026-46431 Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...
EUVD-2026-31870
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...
EUVD-2026-31869
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553"...
CVE-2026-46430
CVE-2026-46430 affects Algernon (SSE event server). Before 1.17.7, the SSE event server bound to 0.0.0.0:5553 by default on Linux/macOS due to host default logic, enabling LAN-wide access. The issue arises from platform-dependent default host handling (empty on non-Windows), resulting in an effec...