VYPR
Vendor

Xyproto

Products
3
CVEs
9
Across products
9
Status
Private

Products

3

Recent CVEs

9
  • CVE-2026-45721CriMay 26, 2026
    risk 0.52cvss 9.0epss 0.00

    Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named…

  • CVE-2026-43982HigMay 26, 2026
    risk 0.50cvss epss 0.00

    Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp,…

  • CVE-2026-48126HigMay 26, 2026
    risk 0.46cvss 8.2epss 0.00

    Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the…

  • CVE-2026-43981HigMay 26, 2026
    risk 0.46cvss epss 0.00

    Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests…

  • CVE-2026-45728HigMay 26, 2026
    risk 0.42cvss 7.5epss 0.00

    Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or…

  • CVE-2023-26131MedMay 31, 2023
    risk 0.35cvss 5.4epss 0.01

    All versions of the package github.com/xyproto/algernon/engine; all versions of the package github.com/xyproto/algernon/themes are vulnerable to Cross-site Scripting (XSS) via the themes.NoPage(filename, theme) function due to improper user input sanitization. Exploiting this…

  • CVE-2026-46431MedMay 26, 2026
    risk 0.21cvss 4.3epss 0.00

    Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the…

  • CVE-2026-46430MedMay 26, 2026
    risk 0.21cvss 4.3epss 0.00

    Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort("", ":5553")…

  • CVE-2025-65754Dec 10, 2025
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in Algernon v1.17.4 allows attackers to execute arbitrary code via injecting a crafted payload into a filename.