EXECUTIVE SUMMARY:
Two vulnerabilities have been found in go/github.com/xyproto/algernon, a package used for server-side Lua programming. The issues affect earlier releases, all of which have been addressed in a later update. The identified issues include arbitrary remote code execution and information disclosure. Business risk and impact are significant, as these vulnerabilities can be exploited through HTTP requests, potentially allowing attackers to execute arbitrary code on the target system or obtain sensitive information. In the case of the first vulnerability, attackers can execute arbitrary code with the privileges of the server process, enabling access to sensitive data, modification of system settings, and execution of other malicious actions. The second vulnerability enables attackers to obtain sensitive information about the target system, including file paths, contents, and error messages. CVE-2026-45721 with a CVSS score of 9.0 – It exploits an unbounded upward search in `DirPage` to discover and execute a malicious `handler.lua` script in a parent directory of the server root. This vulnerability allows attackers to execute arbitrary code with the privileges of the server process, allowing them to access sensitive data, modify system settings, or perform other malicious actions. The attack is reachable without authentication and can be triggered by sending a GET request to the server's root URL. The lookup happens before the permission check returns a hit, and any URL pointing at a directory without an index triggers the walk. CVE-2026-45728 with a CVSS score of 7.5 – It leverages single-file mode in the package, which unconditionally enables debug mode. This allows attackers to obtain sensitive information about the target system, including file paths, contents, and error messages. The vulnerability is triggered when the package is invoked with a single file path instead of a directory. This includes the natural quickstart inputs – .lua, .po2, .pongo2, .html, .amber, .tmpl, .jsx, .tl, .prompt – every file extension Algernon recognises as a server-renderable handler.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Two vulnerabilities have been found in go/github.com/xyproto/algernon, a package used for server-side Lua programming. The issues affect earlier releases, all of which have been addressed in a later update. The identified issues include arbitrary remote code execution and information disclosure. Business risk and impact are significant, as these vulnerabilities can be exploited through HTTP requests, potentially allowing attackers to execute arbitrary code on the target system or obtain sensitive information. In the case of the first vulnerability, attackers can execute arbitrary code with the privileges of the server process, enabling access to sensitive data, modification of system settings, and execution of other malicious actions. The second vulnerability enables attackers to obtain sensitive information about the target system, including file paths, contents, and error messages. CVE-2026-45721 with a CVSS score of 9.0 – It exploits an unbounded upward search in `DirPage` to discover and execute a malicious `handler.lua` script in a parent directory of the server root. This vulnerability allows attackers to execute arbitrary code with the privileges of the server process, allowing them to access sensitive data, modify system settings, or perform other malicious actions. The attack is reachable without authentication and can be triggered by sending a GET request to the server's root URL. The lookup happens before the permission check returns a hit, and any URL pointing at a directory without an index triggers the walk. CVE-2026-45728 with a CVSS score of 7.5 – It leverages single-file mode in the package, which unconditionally enables debug mode. This allows attackers to obtain sensitive information about the target system, including file paths, contents, and error messages. The vulnerability is triggered when the package is invoked with a single file path instead of a directory. This includes the natural quickstart inputs – .lua, .po2, .pongo2, .html, .amber, .tmpl, .jsx, .tl, .prompt – every file extension Algernon recognises as a server-renderable handler.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update github.com/xyproto/algernon to version 1.17.7 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-xwcr-wm99-g9jc
https://github.com/advisories/GHSA-fwqx-8365-9983