Description
Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This vulnerability is fixed in 1.17.6.
Published: 2026-05-26
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Algernon’s upload handler built on pure Go concatenates a caller‑supplied directory path with the requested filename using filepath.Join. No post‑join validation is performed, so an attacker can supply a directory such as ../../../tmp that resolves to /tmp. This allows the attacker to write arbitrary files outside the web root, potentially exposing sensitive data or enabling further exploitation. The weakness is a classic directory traversal problem (CWE‑22) that compromises integrity of the filesystem and can lead to data leakage or remote code execution if privileged files are overwritten.

Affected Systems

The vulnerability affects the xyproto "Algernon" web server for all releases prior to 1.17.6. Users running any 1.17.x version earlier than 1.17.6, or older major releases, are potentially exposed if the upload API is reachable.

Risk and Exploitability

The CVSS base score of 8.7 indicates high risk. EPSS data is not available, so the current exploitation probability is uncertain, but the absence from the KEV catalog suggests no known public exploits yet. The attack vector is likely a web‑based file upload endpoint; it requires the adversary to be able to submit a custom directory path, which may be restricted by authentication. Nonetheless, the lack of boundary checks gives an attacker a clear path to write files outside the protected directory.

Generated by OpenCVE AI on May 26, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch by upgrading to Algernon version 1.17.6 or newer, which adds proper boundary checking to uploadedFileSaveIn().
  • If an upgrade is not immediately possible, configure the web server to reject or sanitize any file upload requests that include ".." or other path‑traversal components before passing them to the application.
  • Implement additional validation on the server side to ensure that the resolved file path remains within the designated web root, using mechanisms such as comparing absolute paths or whitelisting allowed directories.

Generated by OpenCVE AI on May 26, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This vulnerability is fixed in 1.17.6.
Title Algernon: Path traversal file write via savein()
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T17:20:19.616Z

Reserved: 2026-05-04T20:24:31.916Z

Link: CVE-2026-43982

cve-icon Vulnrichment

Updated: 2026-05-26T17:20:13.751Z

cve-icon NVD

Status : Received

Published: 2026-05-26T17:16:46.107

Modified: 2026-05-26T17:16:46.107

Link: CVE-2026-43982

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T18:30:12Z

Weaknesses