CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 2026/05/26 5:16 p.m.•10 views

CVE-2026-45721

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute a...

9CVSS0.00223EPSS

NVD•added 2026/05/26 5:16 p.m.•9 views

CVE-2026-43981

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push and L.PCall execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state...

8.2CVSS0.0005EPSS

Exploits0References2

RedhatCVE•added 2026/05/26 4:50 p.m.•8 views

CVE-2026-23631

A flaw was found in Redis, an in-memory data structure store. An authenticated attacker can exploit a use-after-free vulnerability in redis-server with Lua scripting. This occurs through the master-replica synchronization mechanism on replicas where replica-read-only is disabled or can be disable...

8.8CVSS5.7AI score0.00092EPSS

Exploits0References5

EUVD•added 2026/05/26 4:44 p.m.•7 views

EUVD-2026-31881

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...

CVE•added 2026/05/26 4:44 p.m.•12 views

CVE-2026-48126

Algernon, a small self-contained pure-Go web server, is vulnerable prior to version 1.17.8 when started with --domain (or --letsencrypt). The request handler resolves the served directory by joining the configured --dir with the client-supplied Host header using filepath.Join without validation, ...

ATTACKERKB•added 2026/05/26 4:44 p.m.•4 views

CVE-2026-48126

Exploits0References2Affected Software1

Cvelist•added 2026/05/26 4:44 p.m.•36 views

CVE-2026-48126 Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir

8.2CVSS0.00086EPSS

Vulnrichment•added 2026/05/26 4:44 p.m.•8 views

CVE-2026-48126 Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir

CVE•added 2026/05/26 4:38 p.m.•9 views

CVE-2026-45728

CVE-2026-45728 (Algernon) exposes server-side source on error when running in single-file mode. Prior to 1.17.7, invoking Algernon with a file path (not a dir) forces singleFileMode, which enables debugMode and renders PrettyError pages that reveal the absolute path and full contents of the error...

Vulnrichment•added 2026/05/26 4:38 p.m.•8 views

CVE-2026-45728 Algernon: Single-file mode unconditionally enables debug mode

ATTACKERKB•added 2026/05/26 4:38 p.m.•5 views

CVE-2026-45728

Exploits0References2Affected Software1

EUVD•added 2026/05/26 4:38 p.m.•8 views

EUVD-2026-31868

EUVD•added 2026/05/26 4:34 p.m.•6 views

EUVD-2026-31867

CVE•added 2026/05/26 4:34 p.m.•10 views

CVE-2026-45721

CVE-2026-45721 (Algernon) describes a pre-auth remote code execution in Algernon web server prior to version 1.17.7. When a request targets a directory without an index, DirPage behavior walks upward through parent directories past the configured server root in search of a file named handler.lua....

ATTACKERKB•added 2026/05/26 4:34 p.m.•7 views

CVE-2026-45721

Exploits0References2Affected Software1

Vulnrichment•added 2026/05/26 4:34 p.m.•4 views

CVE-2026-45721 Algernon: handler.lua discovery walks parent directories above the server root