CVE-2026-46431: CWE-942: Permissive Cross-domain Policy with Untrusted Domains in xyproto algernon
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7.
AI Analysis
Technical Summary
The vulnerability in xyproto algernon (versions before 1.17.7) involves the SSE event server's Access-Control-Allow-Origin header being hardcoded to '*', permitting any origin to access the server's EventSource stream. Since EventSource does not send cookies and does not require preflight requests, this configuration allows third-party pages to read live filename streams via JavaScript. This is classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). The issue was resolved in version 1.17.7.
Potential Impact
An attacker can exploit this vulnerability to read live filename streams from the SSE port via cross-origin EventSource connections. While the impact is limited to information disclosure (confidentiality), it does not affect integrity or availability. The CVSS score of 4.3 reflects a medium severity due to the network attack vector, low complexity, no privileges required, and user interaction needed.
Mitigation Recommendations
Upgrade xyproto algernon to version 1.17.7 or later, where this vulnerability is fixed. There is no official patch link provided, but the fix is included in the stated version update. Until upgraded, be aware of the risk of cross-origin data exposure via the SSE event server. No additional vendor advisory is available; patch status is confirmed by the version fix statement.
CVE-2026-46431: CWE-942: Permissive Cross-domain Policy with Untrusted Domains in xyproto algernon
Description
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7.
CVSS v3.1
Score 4.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in xyproto algernon (versions before 1.17.7) involves the SSE event server's Access-Control-Allow-Origin header being hardcoded to '*', permitting any origin to access the server's EventSource stream. Since EventSource does not send cookies and does not require preflight requests, this configuration allows third-party pages to read live filename streams via JavaScript. This is classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). The issue was resolved in version 1.17.7.
Potential Impact
An attacker can exploit this vulnerability to read live filename streams from the SSE port via cross-origin EventSource connections. While the impact is limited to information disclosure (confidentiality), it does not affect integrity or availability. The CVSS score of 4.3 reflects a medium severity due to the network attack vector, low complexity, no privileges required, and user interaction needed.
Mitigation Recommendations
Upgrade xyproto algernon to version 1.17.7 or later, where this vulnerability is fixed. There is no official patch link provided, but the fix is included in the stated version update. Until upgraded, be aware of the risk of cross-origin data exposure via the SSE event server. No additional vendor advisory is available; patch status is confirmed by the version fix statement.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T22:18:22.830Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a15d22e891d628fdc60089d
Added to database: 5/26/2026, 5:02:38 PM
Last enriched: 5/26/2026, 5:20:03 PM
Last updated: 5/26/2026, 10:59:53 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.