CVE-2026-46431

Name of the Vulnerable Software and Affected Versions Algernon versions prior to 1.17.7

Description The SSE event server's Access-Control-Allow-Origin response header is hardcoded to the wildcard *, regardless of the caller's Origin. Because EventSource does not perform a preflight request and does not send cookies, this configuration allows any third-party page visited by a user to open a cross-origin EventSource connection to the SSE port. This enables a cross-origin script to read the live filename stream from JavaScript. The issue is rooted in the GenFileChangeEvents() function, where the wildcard is passed as the allowed origin, granting script-level read access to the stream for any origin.

Recommendations Update to version 1.17.7. As a temporary workaround, restrict access to the SSE port to minimize the risk of cross-origin exploitation.