Vendor
Algernon, when running on a Windows host, is vulnerable to CVE-2026-52792, allowing an unauthenticated attacker to exploit its `filepath.Ext()` processing to bypass script execution and obtain the raw source code of server-side scripts by appending NTFS-equivalent suffixes (such as `::$DATA`, trailing dot, or trailing space) to the URL, thereby leaking sensitive embedded secrets like database credentials, API keys, and `SetCookieSecret` values, which can lead to authentication bypass.