Go modules package
github.com/xyproto/algernon
pkg:golang/github.com/xyproto/algernon
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-48126 | Hig | 8.2 | < 1.17.8 | 1.17.8 | May 26, 2026 | Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the v | |
| CVE-2025-65754 | — | < 1.17.5 | 1.17.5 | Dec 10, 2025 | Cross Site Scripting vulnerability in Algernon v1.17.4 allows attackers to execute arbitrary code via injecting a crafted payload into a filename. | ||
| CVE-2023-26131 | Med | 5.4 | <= 1.15.2 | — | May 31, 2023 | All versions of the package github.com/xyproto/algernon/engine; all versions of the package github.com/xyproto/algernon/themes are vulnerable to Cross-site Scripting (XSS) via the themes.NoPage(filename, theme) function due to improper user input sanitization. Exploiting this vul |
- affected < 1.17.8fixed 1.17.8
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the v
- CVE-2025-65754Dec 10, 2025affected < 1.17.5fixed 1.17.5
Cross Site Scripting vulnerability in Algernon v1.17.4 allows attackers to execute arbitrary code via injecting a crafted payload into a filename.
- affected <= 1.15.2
All versions of the package github.com/xyproto/algernon/engine; all versions of the package github.com/xyproto/algernon/themes are vulnerable to Cross-site Scripting (XSS) via the themes.NoPage(filename, theme) function due to improper user input sanitization. Exploiting this vul