CVE-2026-45721
CriticalSummary
Algernon is a small self-contained pure-Go web server. Prior to version 1.17.7, when the server receives a URL request that resolves to a directory without an index file, it searches upward through parent directories for a handler.lua file, potentially leading to remote code execution.
Risk Assessment
The organization is at risk of unauthenticated remote code execution, which could lead to serious security breaches and data loss.
Recommendation
It is recommended to update the Algernon server to version 1.17.7 or later to mitigate this vulnerability.
Original NVD description (English source)
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancestor steps or when filepath.Dir returns ., so on any absolute server-root path the search reaches the filesystem root (/ on Unix, drive letter on Windows). The first handler.lua it finds is loaded into the Lua interpreter with the full Algernon API exposed — including run3(), httpclient, os.execute, io.popen, PQ, MSSQL, raw filesystem access, and the userstate database. Any process that can write handler.lua anywhere in a parent directory of the server root obtains pre-authenticated remote code execution on the next HTTP request. This is reachable without authentication — the lookup happens before the permission check returns a hit (

