PT-2026-43308 · Algernon · Algernon
Fg0X0
·
Published
2026-05-26
·
Updated
2026-06-25
·
CVE-2026-48126
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Algernon versions prior to 1.17.8
Description
When started with the
--domain flag or the --letsencrypt flag (which enables --domain automatically), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header using filepath.Join without validation. An attacker can provide a Host: .. header to traverse one level above the document root. This allows for arbitrary file read and full directory listing of the parent directory. Additionally, if a .lua file is present in the parent directory, it can lead to server-side Lua execution, enabling the execution of shell commands as the process user via the run3() function.Recommendations
Update to version 1.17.8.
As a temporary workaround, avoid using the
--domain or --letsencrypt flags until the update is applied.Exploit
Fix
RCE
Relative Path Traversal
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Algernon