CVE-2026-46431
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/05/2026
Last modified:
26/05/2026
Description
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7.
Impact
Base Score 3.x
4.30
Severity 3.x
MEDIUM



