CVE-2026-46430

Name of the Vulnerable Software and Affected Versions Algernon versions prior to 1.17.7

Description On Linux and macOS, the SSE event server binds to 0.0.0.0:5553 by default, making it accessible to any peer on the same local area network (LAN). This occurs because the platform-dependent host default in engine/flags.go sets the host variable to an empty string for non-Windows systems, which the utils.JoinHostPort() function resolves to listen on all available network interfaces. In contrast, Windows users are restricted to the loopback address. This allows an unauthorized network peer to connect to the server and read the file-change stream, leading to the disclosure of filenames and edit timing.

Recommendations Update to version 1.17.7.