CVE-2026-48126HIGH 8.2EPSS p25.1%

CVE-2026-48126CVE-2026-48126

Description

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS0.34% probability of exploitation · percentile 25.1% · 2026-06-18T12:00:27Z
Published2026-05-26
Last modified2026-05-26

Underlying weaknesses· 3

CWE-22CWE-23CWE-644

References

  1. https://github.com/xyproto/algernon/security/advisories/GHSA-jc3j-x6pg-4hmv
  2. https://github.com/xyproto/algernon/security/advisories/GHSA-jc3j-x6pg-4hmv

3

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live
WeaknessRelative Path Traversalcwe-230%live
WeaknessImproper Neutralization of HTTP Headers for Scripting Syntaxcwe-6440%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-45721
CVE
CVE-2026-24897
CVE
CVE-2026-24895
CVE
CVE-2026-45062
CVE
CVE-2026-40611
CVE
Apache HTTP Server Path Traversal Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.