PT-2026-43298 · Algernon · Algernon

Katrielmoses

·

Published

2026-05-26

·

Updated

2026-05-26

·

CVE-2026-43982

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Algernon versions prior to 1.17.6
Description The uploadedFileSaveIn() function in lua/upload/upload.go uses filepath.Join() with a directory provided by the caller without performing a boundary check after the operation. This allows a directory path such as ../../../tmp to resolve to /tmp, enabling files to be saved outside the intended web root.
Recommendations Update to version 1.17.6.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43982
GHSA-2J2C-PV62-MMCP

Affected Products

Algernon