CVE-2026-45728

Name of the Vulnerable Software and Affected Versions Algernon versions prior to 1.17.7

Description When Algernon is started with a single file path instead of a directory, the singleFileMode is enabled, which forcibly activates debugMode. This configuration enables the PrettyError renderer, which discloses the absolute disk path and the complete byte contents of the file that caused a Lua or template error, along with the exception or parser error text. This information is served with an HTTP 200 OK status to any requester.

An attacker can trigger this disclosure by provoking a runtime error through common inputs, such as sending an unsupported HTTP method to an endpoint, submitting invalid parameter types that cause a tonumber() failure, or sending requests missing required headers. This can lead to the exposure of sensitive server-side source code, including database connection strings, API keys, and secrets. Notably, using the --prod flag does not prevent this behavior for non-.lua extensions (such as .po2, .amber, .html, .tmpl, .tl, or .pongo2), as the forced debugMode override takes precedence.

Recommendations Update to version 1.17.7. As a temporary workaround, avoid invoking the server with a single file path and instead serve content from a directory. Restrict the use of single-file mode for any environment exposed to untrusted network traffic.