CVE-2026-45728 xyproto CVE debrief

Who should care

Organizations running Algernon web servers in single-file mode; developers deploying Algernon-based applications; security teams monitoring for source code exposure incidents; infrastructure operators with publicly reachable Algernon instances.

Technical summary

The vulnerability stems from Algernon's singleFileMode behavior where debugMode is unconditionally enabled. The PrettyError renderer, active in debugMode, returns verbose error responses including absolute file paths and complete file contents when Lua or template processing errors occur. This response is served with HTTP 200 OK status, making it indistinguishable from normal responses in some contexts. An attacker needs only network reachability and the ability to trigger any runtime error in the served script to obtain full source disclosure. The attack requires no authentication and has low complexity.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Algernon to version 1.17.7 or later to remediate this vulnerability
• Avoid running Algernon in single-file mode on production systems until patched
• Implement network-level access controls to restrict reachability of Algernon instances where patching is delayed
• Review application logs for unexpected HTTP 200 responses containing source code disclosures that may indicate exploitation attempts
• Consider disabling or restricting error detail verbosity in application configurations where supported

Evidence notes

CVE published 2026-05-26T17:16:47.900Z; modified 2026-05-26T19:26:42.643Z. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. Weaknesses: CWE-209 (Information Exposure Through an Error Message), CWE-489 (Active Debug Code), CWE-540 (Inclusion of Sensitive Information in Source Code), CWE-1188 (Insecure Default Initialization of Resource).

Official resources