PT-2026-43308 · Algernon · Algernon

Fg0X0

·

Published

2026-05-26

·

Updated

2026-06-25

·

CVE-2026-48126

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Name of the Vulnerable Software and Affected Versions Algernon versions prior to 1.17.8
Description When started with the --domain flag or the --letsencrypt flag (which enables --domain automatically), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header using filepath.Join without validation. An attacker can provide a Host: .. header to traverse one level above the document root. This allows for arbitrary file read and full directory listing of the parent directory. Additionally, if a .lua file is present in the parent directory, it can lead to server-side Lua execution, enabling the execution of shell commands as the process user via the run3() function.
Recommendations Update to version 1.17.8. As a temporary workaround, avoid using the --domain or --letsencrypt flags until the update is applied.

Exploit

Fix

RCE

Relative Path Traversal

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-48126
GHSA-JC3J-X6PG-4HMV
GO-2026-5460

Affected Products

Algernon