CVE-2026-43982 | THREATINT

Description

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This vulnerability is fixed in 1.17.6.

PUBLISHED Reserved 2026-05-04 | Published 2026-05-26 | Updated 2026-05-26 | Assigner GitHub_M

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

< 1.17.6

affected

References

github.com/...gernon/security/advisories/GHSA-2j2c-pv62-mmcp

github.com/xyproto/algernon/issues/172

cve.org (CVE-2026-43982)

nvd.nist.gov (CVE-2026-43982)

Download JSON