Description
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error response dumps the absolute path of the file that errored, complete byte contents of that file, and exception or parser error text. This response is served with HTTP 200 OK to whoever sent the request that triggered the error. Any client able to reach the server and able to provoke a runtime error in the served script obtains the full server-side source of that script and of any sibling Lua data file consulted during the request. This vulnerability is fixed in 1.17.7.
Published: 2026-05-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Algernon, a self‑contained Go web server, enabled debug mode whenever it was started in single‑file mode before version 1.17.7. Debug mode activates the PrettyError renderer, which, on any Lua or template error, returns the full absolute path, the complete byte contents of the source file, and the exception or parser error text. The error response is delivered with an HTTP 200 OK status to the offending client, meaning that a malicious or even benign user can trigger a runtime error and receive the server‑side source of the script and any related Lua data file.

Affected Systems

The vulnerability affects the xyproto:algernon package in all releases prior to 1.17.7. Users running any of those previous versions should verify their installation and plan an upgrade.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be able to reach the server and trigger a runtime error, after which the full source code is disclosed. The lack of an EPSS score suggests no known exploitation activity at the time of analysis, but the confidentiality impact and ease of triggering warrant immediate attention.

Generated by OpenCVE AI on May 26, 2026 at 19:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to xyproto:algernon version 1.17.7 or later as fixed by the vendor
  • If an immediate upgrade is impossible, avoid using single‑file mode or disable the debug renderer in configuration
  • Restrict network access to the Algernon server via firewall or ACLs to limit exposure to trusted clients

Generated by OpenCVE AI on May 26, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fwqx-8365-9983 Algernon: Single-file mode unconditionally enables debug mode
History

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Xyproto
Xyproto algernon
Vendors & Products Xyproto
Xyproto algernon

Tue, 26 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error response dumps the absolute path of the file that errored, complete byte contents of that file, and exception or parser error text. This response is served with HTTP 200 OK to whoever sent the request that triggered the error. Any client able to reach the server and able to provoke a runtime error in the served script obtains the full server-side source of that script and of any sibling Lua data file consulted during the request. This vulnerability is fixed in 1.17.7.
Title Algernon: Single-file mode unconditionally enables debug mode
Weaknesses CWE-1188
CWE-209
CWE-489
CWE-540
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Xyproto Algernon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T17:31:40.280Z

Reserved: 2026-05-13T05:51:48.667Z

Link: CVE-2026-45728

cve-icon Vulnrichment

Updated: 2026-05-26T17:30:50.618Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T17:16:47.900

Modified: 2026-05-26T19:26:42.643

Link: CVE-2026-45728

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:04:45Z

Weaknesses
  • CWE-1188

    Initialization of a Resource with an Insecure Default

  • CWE-209

    Generation of Error Message Containing Sensitive Information

  • CWE-489

    Active Debug Code

  • CWE-540

    Inclusion of Sensitive Information in Source Code