CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-52792

highcovered by 1 sourcefirst seen 2026-07-02
Summary Algernon selects its file handler from filepath.Ext() (engine/handlers.go:134), which does not treat the NTFS-equivalent names x.lua::$DATA, x.lua., or x.lua as .lua. On Windows, an unauthenticated client appends one of these suffixes to any server-side script on a public path and receives its raw source instead of executed output, leaking embedded secrets such as database credentials and the SetCookieSecret value. Linux and macOS hosts are unaffected. Preconditions - Algernon runs on a Windows host (NTFS filesystem). - The instance serves at least one server-side script (.lua, .tl, .po2, .amber, .frm). - The script sits on a public path, or no auth backend is configured (--nodb, --simple, or default no-DB). - HTTP/HTTPS reachability to the server. Details // engine/handlers.go:133 lowercaseFilename := strings.ToLower(filename) ext := filepath.Ext(lowercaseFilename) // "index.lua::$data" -> ".lua::$data", not ".lua" [offending] ... if ac.dispatchRenderer(w, req, filename, ext) { // ext unrecognised, returns false return } switch ext { case ".lua", ".tl": // execute the script -- never reached for the equivalent forms // ... RunLua ... default: // control reaches the raw-file branch below } // engine/handlers.go:452 f, err := os.Open(filename) // NTFS resolves "index.lua::$DATA" to index.lua's data stream ... // engine/handlers.go:479 if dataBlock, err := ac.ReadAndLogErrors(w, filename, ext); err == nil { dataBlock.ToClient(w, req, filename, ac.ClientCanGzip(req), gzipThreshold) // raw source to client } The request path reaches FilePage through URL2filename (utils/files.go:24), which rejects only ..; a :, a trailing ., and a trailing space all pass through into filename. filepath.Ext does an exact suffix match, so .lua::$data, ., and .lua are not equal to .lua or .tl. The renderer registry and the execute case are both skipped and control falls to th

⚡ Watch CVE-2026-52792

Get an email if CVE-2026-52792 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-52792

CVE.org record

Embed the live status

CVE-2026-52792 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-52792 status](https://www.csirts.com/badge/CVE-2026-52792)](https://www.csirts.com/cve/CVE-2026-52792)