CVE-2023-26131
Description
All versions of the package github.com/xyproto/algernon/engine; all versions of the package github.com/xyproto/algernon/themes are vulnerable to Cross-site Scripting (XSS) via the themes.NoPage(filename, theme) function due to improper user input sanitization. Exploiting this vulnerability is possible when a file/resource is not found.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in Algernon's themes.NoPage function allows arbitrary script execution when a missing resource is requested.
Vulnerability
Overview
The vulnerability resides in the themes.NoPage(filename, theme) function within the Algernon web server packages github.com/xyproto/algernon/engine and github.com/xyproto/algernon/themes. Due to improper sanitization of user-supplied input, an attacker can inject arbitrary HTML and JavaScript into the response generated when a requested file or resource is not found [1][2].
Exploitation
Details
An attacker can exploit this by crafting a URL that includes a malicious payload in place of a valid resource path. For example, visiting http://localhost:3000/<img%20src=x%20onerror=alert(document.domain)%20/> triggers the NoPage function, which reflects the unsanitized input back to the user's browser [3][4]. No authentication is required, and the attack is performed over HTTP, making it accessible to any user who can send requests to the server.
Impact
Successful exploitation results in stored or reflected cross-site scripting (XSS), allowing the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive data displayed on the page.
Mitigation
The issue is fixed in version 1.17.4 of both affected packages. Users are advised to upgrade to this version or later. No workarounds are documented; upgrading is the recommended action [3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/xyproto/algernonGo | <= 1.15.2 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-g47h-fgcw-g4phghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26131ghsaADVISORY
- github.com/xyproto/algernon/blob/aab484608651852d02a8a93f40baf53ed93e639a/engine/handlers.goghsaWEB
- github.com/xyproto/algernon/blob/aab484608651852d02a8a93f40baf53ed93e639a/engine/handlers.goghsaWEB
- github.com/xyproto/algernon/blob/aab484608651852d02a8a93f40baf53ed93e639a/themes/html.goghsaWEB
- security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMXYPROTOALGERNONENGINE-3312111ghsaWEB
- security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMXYPROTOALGERNONTHEMES-3312112ghsaWEB
- github.com/xyproto/algernon/blob/aab484608651852d02a8a93f40baf53ed93e639a/engine/handlers.go%23L512mitre
- github.com/xyproto/algernon/blob/aab484608651852d02a8a93f40baf53ed93e639a/engine/handlers.go%23L514mitre
- github.com/xyproto/algernon/blob/aab484608651852d02a8a93f40baf53ed93e639a/themes/html.go%23L145mitre
News mentions
0No linked articles in our index yet.