SCA: security update for github.com/xyproto/algernon (GHSA-fwqx-8365-9983)

high Tenable Self-Hosted Container Security Plugin ID 442172

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a
single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled.
debugMode activates the PrettyError renderer, which on any Lua or template error response dumps the
absolute path of the file that errored, complete byte contents of that file, and exception or parser error
text. This response is served with HTTP 200 OK to whoever sent the request that triggered the error. Any
client able to reach the server and able to provoke a runtime error in the served script obtains the full
server-side source of that script and of any sibling Lua data file consulted during the request. This
vulnerability is fixed in 1.17.7. (CVE-2026-45728)

Solution

Update the github.com/xyproto/algernon library and its related packages to version 1.17.7 or later.

See Also

https://github.com/advisories/GHSA-fwqx-8365-9983

Plugin Details

Severity: High

ID: 442172

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 5/19/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.69

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-45728

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/19/2026

Vulnerability Publication Date: 5/19/2026

Reference Information

CVE: CVE-2026-45728