Directory Traversal and Arbitrary File Read on Algernon Web Server by XYProto
CVE-2026-48126

8.2HIGH

Key Information:

Vendor: Xyproto
Status: Algernon
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-48126?

The Algernon web server, prior to version 1.17.8, is susceptible to a directory traversal vulnerability when started with the --domain or --letsencrypt flags. This weakness allows an attacker to exploit the server by supplying a crafted Host header that utilizes '..', enabling access to parent directories. Consequently, this results in the potential for arbitrary file reads and full directory listings, which can lead to more severe exploits, including server-side execution of .lua files, compromising the integrity and confidentiality of the server's data.

Affected Version(s)

algernon < 1.17.8

References

https://github.com/xyproto/algernon/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48126 Data

JSON

Xyproto

What is CVE-2026-48126?

Affected Version(s)

References

CVSS V3.1

Timeline