Security: xyproto/algernon
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Server-side script source disclosure on Windows via NTFS filenameGHSA-mm6c-5j6x-hq8m published
May 29, 2026 by xyprotoHigh -
Host header path traversal in --domain mode reads files and runs Lua from parent dirGHSA-jc3j-x6pg-4hmv published
May 24, 2026 by xyprotoHigh -
Auto-refresh SSE event server binds to all interfaces by default on Linux/macOSGHSA-gj84-924c-48fx published
May 14, 2026 by xyprotoModerate -
Auto-refresh SSE event server sets Access-Control-Allow-Origin: *GHSA-hw27-4v2q-5qff published
May 14, 2026 by xyprotoModerate -
Single-file mode unconditionally enables debug modeGHSA-fwqx-8365-9983 published
May 12, 2026 by xyprotoHigh -
Auto-refresh SSE event server requires no authentication — any client that can reach the listener reads the live file-change streamGHSA-9v4j-7g44-qcqw published
May 12, 2026 by xyprotoModerate -
handler.lua discovery walks parent directories above the server rootGHSA-xwcr-wm99-g9jc published
May 12, 2026 by xyprotoCritical -
Race Condition in handle() shared LStateGHSA-rr2f-4wrm-h6rg published
May 5, 2026 by xyprotoHigh -
Path traversal file write via savein()GHSA-2j2c-pv62-mmcp published
May 5, 2026 by xyprotoHigh