Back to list

Algernon: Single-file mode unconditionally enables debug mode — CVE-2026-45728

GitHub · GitHub · CVE-2026-45728

ID
CVE-2026-45728
Date
Activity
Source
GitHub
Vendor
GitHub
Threat
high
CVSS
7.5

Summary

### Summary When Algernon is invoked with a single file path instead of a directory — the documented "quick demo" workflow (`algernon foo.lua`, `algernon page.po2`, `algernon index.html`, `algernon mywebsite.alg`) — `singleFileMode` is set to true and **`debugMode` is forcibly enabled** with no opt-out: ```go // engine/config.go:498-502 // Make a few changes to the defaults if we are serving a single file if…

Product

go: github.com/xyproto/algernon

What to do

General, cautious steps (verify details in the official source):

  • Prioritize patching or mitigation immediately (treat as actively risky).
  • Identify affected product versions in your inventory and verify whether you are impacted.
  • Apply vendor patches/updates or recommended mitigations as soon as available.
  • Read the official advisory for exact affected versions and remediation steps.

Official advisory

Related advisories

GitHub GitHub 2026-W21