CVE-2026-48126 xyproto CVE debrief

Who should care

Organizations running Algernon web server with --domain or --letsencrypt flags enabled; security teams managing Go-based web infrastructure; developers using Algernon for production deployments

Technical summary

The Algernon web server (pure-Go, self-contained) contains a path traversal vulnerability in its request handler when started with --domain or --letsencrypt flags. The server constructs the served directory path by joining the configured --dir with the raw Host header value using filepath.Join. Without validation, a malicious Host header containing .. traverses one level above the document root. This grants attackers arbitrary file read access, full directory listing capabilities, and server-side Lua execution if .lua files exist in the exposed parent directory. The vulnerability is remotely exploitable without authentication.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Algernon to version 1.17.8 or later
• If immediate upgrade is not possible, avoid using --domain or --letsencrypt flags
• Implement reverse proxy with Host header validation as a temporary mitigation
• Review server logs for requests with Host headers containing path traversal sequences (..)
• Audit parent directories of document roots for sensitive files or .lua scripts that could enable code execution

Evidence notes

Vulnerability confirmed via GitHub Security Advisory GHSA-jc3j-x6pg-4hmv. CVSS 3.1 score 8.2 (HIGH). Affected versions: prior to 1.17.8. Fixed version: 1.17.8. Attack vector: network, low complexity, no privileges required, no user interaction. Impact: high confidentiality, low integrity, no availability impact.

Official resources