Path Traversal in Xyproto Algernon

CVE-2026-43982

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check after joining. A directory of ../…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (19.2th percentile) — read the EPSS interpretation.