These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A path traversal vulnerability in Algernon web server allows arbitrary file read, directory listing, and server-side Lua execution when the server is started with --domain or --letsencrypt flags. The vulnerability exists because the request handler uses filepath.Join to combine the configured --dir with the client-supplied Host header without validation, enabling directory traversal via a Host: .. header. [truncated]
CVE-2026-46431 is a cross-origin information disclosure vulnerability in Algernon, a self-contained pure-Go web server. Prior to version 1.17.7, the SSE (Server-Sent Events) event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard '*', regardless of the caller's Origin header. Because EventSource connections do not perform CORS preflight requests and do not include cookies, [truncated]
CVE-2026-46430 is a medium-severity vulnerability in Algernon, a self-contained pure-Go web server. Prior to version 1.17.7, the SSE (Server-Sent Events) event server binds to 0.0.0.0:5553 by default on Linux and macOS systems due to a platform-dependent host default in engine/flags.go. When the host is set to an empty string on non-Windows platforms, utils.JoinHostPort(“”, “:5553”) resolves to “:5553”, w [truncated]
CVE-2026-45728 is a high-severity information disclosure vulnerability in Algernon, a self-contained pure-Go web server. When Algernon is invoked with a single file path rather than a directory (activating singleFileMode), debugMode is forcibly enabled. This activates the PrettyError renderer, which on any Lua or template error dumps the absolute file path, complete byte contents of the errored file, and [truncated]
A race condition in Algernon, a self-contained pure-Go web server, allows concurrent requests to corrupt the shared Lua VM state. The vulnerability exists in engine/luahandler.go where the sync.RWMutex protecting LoadCommonFunctions is released before gopher-lua's L.Push() and L.PCall() operations complete. Since gopher-lua's LState is explicitly not goroutine-safe, this premature unlock enables data race [truncated]