Xyproto Algernon
7 CVEs affecting Xyproto Algernon. Latest disclosed: 2026-05-26. Critical: 1, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-45721 | Critical | 9.0 | 2026-05-26 | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index f… |
CVE-2026-48126 | High | 8.2 | 2026-05-26 | Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --dom… |
CVE-2026-45728 | High | 7.5 | 2026-05-26 | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode… |
CVE-2026-46431 | Medium | 4.3 | 2026-05-26 | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the… |
CVE-2026-46430 | Medium | 4.3 | 2026-05-26 | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platfo… |
CVE-2026-43982 | | 2026-05-26 | Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-suppl… | |
CVE-2026-43981 | | 2026-05-26 | Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released be… |