CVE-2026-48126

Published: Mag 26, 2026 Last Modified: Mag 26, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 8,2
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: low
Availability: none

Description

AI Translation Available

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8.

22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Stable
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Confidentiality Availability
Potential Impacts:
Execute Unauthorized Code Or Commands Modify Files Or Directories Read Files Or Directories Dos: Crash, Exit, Or Restart
Applicable Platforms
Technologies: AI/ML
Likelihood of Exploit: High
View CWE Details
23

Relative Path Traversal

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Confidentiality Availability
Potential Impacts:
Execute Unauthorized Code Or Commands Modify Files Or Directories Read Files Or Directories Dos: Crash, Exit, Or Restart
Applicable Platforms
Technologies: Not Technology-Specific, Web Based, AI/ML
View CWE Details
644

Improper Neutralization of HTTP Headers for Scripting Syntax

Incomplete
Abstraction: Variant Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Confidentiality Availability
Potential Impacts:
Execute Unauthorized Code Or Commands Read Application Data
Applicable Platforms
Technologies: Web Based, Web Server
Likelihood of Exploit: High
View CWE Details
https://github.com/xyproto/algernon/security/advisories/GHS…
https://github.com/xyproto/algernon/security/advisories/GHSA-jc3j-x6pg-4hmv
https://github.com/xyproto/algernon/security/advisories/GHS…
https://github.com/xyproto/algernon/security/advisories/GHSA-jc3j-x6pg-4hmv