HomeCVE Intelligence › CVE-2026-48126
CVSS 8.2 HIGH Vulnerability

CVE-2026-48126: Algernon: Host header path traversal in --domain mode reads files and runs Lua from paren…

Summary When algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the valu…

8.2CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-48126
Vendorgo
Affected Productgithub.com/xyproto/algernon
Vulnerability TypeVulnerability
CVSS Score8.2 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary When algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. Algernon 1.17.7 and earlier are affected.

Details engine/handlers.go (function RegisterHandlers, around line 510): ```go

allRequests := func(w http.ResponseWriter, req *http.Request) { ... servedir := servedi

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-48126 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence