SCA: security update for github.com/xyproto/algernon (GHSA-jc3j-x6pg-4hmv)

high Tenable Cloud Security Plugin ID 443843

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with
--domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler
resolves the served directory by joining the configured --dir with the value of the client-supplied Host
header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level
above the document root. Subsequent file resolution then exposes everything in that parent directory —
arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution.
This vulnerability is fixed in 1.17.8. (CVE-2026-48126)

Solution

Update the github.com/xyproto/algernon library and its related packages to version 1.17.8 or later.

See Also

https://github.com/advisories/GHSA-jc3j-x6pg-4hmv

Plugin Details

Severity: High

ID: 443843

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 6/24/2026

Updated: 6/24/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 52.04

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:N

CVSS Score Source: CVE-2026-48126

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/23/2026

Vulnerability Publication Date: 5/26/2026

Reference Information

CVE: CVE-2026-48126