Vulnerability in Xyproto Algernon

CVE-2026-43981

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua's LState is explicitly not…

Vulnerability class: Race Condition

EPSS: 0.001 (15.9th percentile) — read the EPSS interpretation.

Affected products

Xyproto Algernon — versions < 1.17.6

Weakness classification (CWE)

CWE-362 — Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)