CVE-2026-45721

Name of the Vulnerable Software and Affected Versions Algernon version 1.17.6

Description An issue exists where the software performs an unbounded upward search for a file named handler.lua when a request is made for a URL path that resolves to a directory without an index file. This search can traverse past the configured server root to the filesystem root. If a handler.lua file is found in any parent directory, it is executed by the Lua interpreter with full access to the Algernon API and unsandboxed libraries, including os, io, package, and debug.

This process occurs before permission checks, allowing unauthenticated remote code execution. An attacker who can write a handler.lua file to any parent directory of the server root—such as in shared hosting environments, CI runners, or via malicious .alg archives extracted to /dev/shm—can execute arbitrary commands. Dangerous primitives available for exploitation include the run3() function, os.execute, and io.popen.

Recommendations For version 1.17.6, clamp the DirPage search walk to ensure it terminates once the ancestor directory is no longer a descendant of the configured server root. As a temporary mitigation, ensure that no handler.lua files exist in any parent directories of the server root and restrict write permissions to those directories. Restrict the use of .alg archives that contain a top-level handler.lua file.