{"id":"CVE-2026-46430","summary":"Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS","details":"Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = \"\" for non-Windows, and utils.JoinHostPort(\"\", \":5553\") resolves to \":5553\". This vulnerability is fixed in 1.17.7.","aliases":["GHSA-gj84-924c-48fx","GO-2026-5401"],"modified":"2026-07-08T08:13:38.058339373Z","published":"2026-05-26T16:41:42.059Z","database_specific":{"cwe_ids":["CWE-1188","CWE-668"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46430.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46430.json"},{"type":"ADVISORY","url":"https://github.com/xyproto/algernon/security/advisories/GHSA-gj84-924c-48fx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46430"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/xyproto/algernon","events":[{"introduced":"0"},{"fixed":"ff4de121a2aecad8cd1dbebf1e10b468e7d33ee5"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"1.17.7"}]}}],"versions":["v1.17.6","v1.17.5","v1.17.4","v1.17.3","v1.17.2","v1.17.1","v1.17.0","v1.16.0","v1.15.5","v1.15.4","v1.15.3","v1.15.2","v1.15.1","v1.15.0","v1.14.0","v1.13.0","1.12.14","1.12.12","1.12.11","1.12.10","1.12.9","1.12.8","1.12.7","1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0-TLS-1.3","1.12.0","1.11.0","1.10.1","v1","1.10","1.9","1.8","1.7","1.6","1.5.1-static-linux64","v1.5","1.5.1","1.5","v1.4.5-win8-64","1.4.5","1.4.4","1.4.3","1.4.2","v1.4.1-win8-64","v1.4.1-rpi3","1.4.1","1.4","1.3.2","1.3.1","1.3","v1.2.1-win8-64","1.2.1","1.2","1.1","v1.0-win8-64","1.0","0.92","0.91","0.9","0.89","0.88","0.87","0.86","v0.85-win8-64","0.85","0.84","v0.84-win8-64","0.83","0.82","0.81","0.8","0.75","0.74","0.73","0.72","0.71","0.7","0.68","0.67","0.66","0.65","0.64","0.63","0.62","v0.62-win8-64","0.61","0.59","0.58","0.57","0.56","0.55","0.54","0.53","v0.52-win8-64","0.52","0.51","0.50","0.49","0.48","v0.47-win8-64","0.47","0.46","0.45","0.44","0.43","0.42","0.41","0.4","0.3","0.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46430.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}