Cross-Origin Resource Sharing Flaw in Algernon Web Server by xyproto
CVE-2026-46431

4.3MEDIUM

Key Information:

Vendor: Xyproto
Status: Algernon
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-46431?

Algernon, a lightweight Go web server, contains a CORS vulnerability in its SSE event server. Prior to version 1.17.7, the Access-Control-Allow-Origin response header was hardcoded to '*', allowing potentially malicious third-party sites to access live data streams from the server. This lack of proper origin checking exposes users to risks such as unauthorized data access. An upgrade to version 1.17.7 is essential to mitigate these risks.

Affected Version(s)

algernon < 1.17.7

References

https://github.com/xyproto/algernon/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-46431 Data

JSON

Xyproto

What is CVE-2026-46431?

Affected Version(s)

References

CVSS V3.1

Timeline