Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-mm6c-5j6x-hq8m: Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename

0
High
Published: 07/02/2026 (07/02/2026, 20:46:42 UTC)
Source: GCVE Database
Product: github.com/xyproto/algernon

Description

Algernon running on Windows with NTFS is vulnerable to server-side script source disclosure via specially crafted filenames that exploit NTFS filename equivalences. An unauthenticated attacker can append NTFS alternate data stream suffixes or trailing dots/spaces to script filenames on public paths and receive the raw script source instead of executed output. This leaks embedded secrets such as database credentials and session cookie secrets. The vulnerability affects versions prior to 1.17.9 and does not impact Linux or macOS hosts.

CVSS v4.0

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
High
Vuln. Integrity
None
Vuln. Availability
None
Subsq. Confidentiality
None
Subsq. Integrity
None
Subsq. Availability
None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected software

Goghsa
github.com/xyproto/algernon
Affected versions
<1.17.9

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/02/2026, 23:05:59 UTC

Technical Analysis

Algernon's file handler selection uses filepath.Ext() which does not recognize NTFS-equivalent filename suffixes like '::$DATA', trailing dots, or trailing spaces as script extensions (e.g., '.lua'). On Windows, these suffixes resolve to the original file's data stream, causing Algernon to bypass script execution and instead serve the raw source code. This allows unauthenticated clients to access server-side script source files on public paths, exposing sensitive embedded secrets such as database connection strings and the SetCookieSecret value. The issue arises because Algernon does not canonicalize or reject Windows-equivalent filenames before dispatching handlers, leading to a confidentiality breach.

Potential Impact

An attacker can read the exact source code of any server-side script served on a public path by Algernon on Windows hosts. This disclosure exposes hardcoded secrets including database credentials and session cookie secrets. The leaked SetCookieSecret enables forging of session cookies, allowing unauthenticated attackers to impersonate any user. This results in a high confidentiality impact and complete authentication bypass without requiring any privileges or user interaction.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor suggests rejecting request paths whose final segment contains Windows-equivalent filename forms such as alternate data stream suffixes ('::$DATA'), trailing dots, or trailing spaces before extension dispatch. Until a patch is available, administrators should avoid serving server-side scripts on public paths on Windows hosts or implement access controls to prevent unauthenticated access. Monitoring for suspicious requests using these filename suffixes may help detect exploitation attempts.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-mm6c-5j6x-hq8m
Osv Schema Version
1.4.0
Aliases
["CVE-2026-52792"]
Ecosystems
["Go"]
Database Specific Severity
HIGH
Cvss Version
4.0

Threat ID: 6a46ecae27e9c7971943b8e1

Added to database: 07/02/2026, 22:56:46 UTC

Last enriched: 07/02/2026, 23:05:59 UTC

Last updated: 07/03/2026, 00:03:49 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses