{"id":"CVE-2026-43982","summary":"Algernon: Path traversal file write via savein()","details":"Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This vulnerability is fixed in 1.17.6.","aliases":["GHSA-2j2c-pv62-mmcp"],"modified":"2026-07-08T08:13:30.232583047Z","published":"2026-05-26T16:30:09.964Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43982.json","cwe_ids":["CWE-22"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43982.json"},{"type":"ADVISORY","url":"https://github.com/xyproto/algernon/security/advisories/GHSA-2j2c-pv62-mmcp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43982"},{"type":"REPORT","url":"https://github.com/xyproto/algernon/issues/172"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/xyproto/algernon","events":[{"introduced":"0"},{"fixed":"60bb98841972ffd6a3a32a4cde18517fae0ea2ef"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"1.17.6"}]}}],"versions":["v1.17.5","v1.17.4","v1.17.3","v1.17.2","v1.17.1","v1.17.0","v1.16.0","v1.15.5","v1.15.4","v1.15.3","v1.15.2","v1.15.1","v1.15.0","v1.14.0","v1.13.0","1.12.14","1.12.12","1.12.11","1.12.10","1.12.9","1.12.8","1.12.7","1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0-TLS-1.3","1.12.0","1.11.0","1.10.1","v1","1.10","1.9","1.8","1.7","1.6","1.5.1-static-linux64","v1.5","1.5.1","1.5","v1.4.5-win8-64","1.4.5","1.4.4","1.4.3","1.4.2","v1.4.1-win8-64","v1.4.1-rpi3","1.4.1","1.4","1.3.2","1.3.1","1.3","v1.2.1-win8-64","1.2.1","1.2","1.1","v1.0-win8-64","1.0","0.92","0.91","0.9","0.89","0.88","0.87","0.86","v0.85-win8-64","0.85","0.84","v0.84-win8-64","0.83","0.82","0.81","0.8","0.75","0.74","0.73","0.72","0.71","0.7","0.68","0.67","0.66","0.65","0.64","0.63","0.62","v0.62-win8-64","0.61","0.59","0.58","0.57","0.56","0.55","0.54","0.53","v0.52-win8-64","0.52","0.51","0.50","0.49","0.48","v0.47-win8-64","0.47","0.46","0.45","0.44","0.43","0.42","0.41","0.4","0.3","0.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43982.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}]}