CVE-2026-48126
HIGHAlgernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir
Title source: cnaDescription
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/xyproto/algernon/security/advisories/GHSA-jc3j-x6pg-4hmv
Scores
CVSS v3
8.2
EPSS
0.0034
EPSS Percentile
25.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
CWE-23
CWE-644
Status
published
Products (1)
xyproto/algernon
< 1.17.8
Published
May 26, 2026
Tracked Since
May 26, 2026