Search criteria
6 vulnerabilities by caddyserver
CVE-2026-27590 (GCVE-0-2026-27590)
Vulnerability from cvelistv5 – Published: 2026-02-24 16:33 – Updated: 2026-02-24 16:33
VLAI?
Title
Caddy: Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport
Summary
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| caddyserver | caddy |
Affected:
< 2.11.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "caddy",
"vendor": "caddyserver",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy\u0027s FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-180",
"description": "CWE-180: Incorrect Behavior Order: Validate Before Canonicalize",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T16:33:41.353Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g"
},
{
"name": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38"
},
{
"name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"
}
],
"source": {
"advisory": "GHSA-5r3v-vc8m-m96g",
"discovery": "UNKNOWN"
},
"title": "Caddy: Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27590",
"datePublished": "2026-02-24T16:33:41.353Z",
"dateReserved": "2026-02-20T17:40:28.450Z",
"dateUpdated": "2026-02-24T16:33:41.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27589 (GCVE-0-2026-27589)
Vulnerability from cvelistv5 – Published: 2026-02-24 16:30 – Updated: 2026-02-24 16:31
VLAI?
Title
Caddy vulnerable to cross-origin config application via local admin API /load (caddy)
Summary
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| caddyserver | caddy |
Affected:
< 2.11.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "caddy",
"vendor": "caddyserver",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T16:31:35.510Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-879p-475x-rqh2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-879p-475x-rqh2"
},
{
"name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"
},
{
"name": "https://github.com/user-attachments/files/25079818/poc.zip",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/25079818/poc.zip"
},
{
"name": "https://github.com/user-attachments/files/25079820/PR_DESCRIPTION.md",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/25079820/PR_DESCRIPTION.md"
}
],
"source": {
"advisory": "GHSA-879p-475x-rqh2",
"discovery": "UNKNOWN"
},
"title": "Caddy vulnerable to cross-origin config application via local admin API /load (caddy)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27589",
"datePublished": "2026-02-24T16:30:52.016Z",
"dateReserved": "2026-02-20T17:40:28.450Z",
"dateUpdated": "2026-02-24T16:31:35.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27588 (GCVE-0-2026-27588)
Vulnerability from cvelistv5 – Published: 2026-02-24 16:28 – Updated: 2026-02-24 16:28
VLAI?
Title
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass
Summary
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.
Severity ?
CWE
- CWE-178 - Improper Handling of Case Sensitivity
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| caddyserver | caddy |
Affected:
< 2.11.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "caddy",
"vendor": "caddyserver",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy\u0027s HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (\u003e100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178: Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T16:28:28.106Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8"
},
{
"name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"
}
],
"source": {
"advisory": "GHSA-x76f-jf84-rqj8",
"discovery": "UNKNOWN"
},
"title": "Caddy: MatchHost becomes case-sensitive for large host lists (\u003e100), enabling host-based route/auth bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27588",
"datePublished": "2026-02-24T16:28:28.106Z",
"dateReserved": "2026-02-20T17:40:28.450Z",
"dateUpdated": "2026-02-24T16:28:28.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27587 (GCVE-0-2026-27587)
Vulnerability from cvelistv5 – Published: 2026-02-24 16:26 – Updated: 2026-02-24 16:26
VLAI?
Title
Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass
Summary
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.
Severity ?
CWE
- CWE-178 - Improper Handling of Case Sensitivity
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| caddyserver | caddy |
Affected:
< 2.11.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "caddy",
"vendor": "caddyserver",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy\u0027s HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request\u0027s escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178: Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T16:26:40.222Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-g7pc-pc7g-h8jh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-g7pc-pc7g-h8jh"
},
{
"name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"
}
],
"source": {
"advisory": "GHSA-g7pc-pc7g-h8jh",
"discovery": "UNKNOWN"
},
"title": "Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27587",
"datePublished": "2026-02-24T16:26:40.222Z",
"dateReserved": "2026-02-20T17:40:28.450Z",
"dateUpdated": "2026-02-24T16:26:40.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27586 (GCVE-0-2026-27586)
Vulnerability from cvelistv5 – Published: 2026-02-24 16:08 – Updated: 2026-02-24 16:08
VLAI?
Title
Caddy's mTLS client authentication silently fails open when CA certificate file is missing or malformed
Summary
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability.
Severity ?
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| caddyserver | caddy |
Affected:
< 2.11.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "caddy",
"vendor": "caddyserver",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T16:08:20.569Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7"
},
{
"name": "https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48",
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48"
},
{
"name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"
}
],
"source": {
"advisory": "GHSA-hffm-g8v7-wrv7",
"discovery": "UNKNOWN"
},
"title": "Caddy\u0027s mTLS client authentication silently fails open when CA certificate file is missing or malformed"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27586",
"datePublished": "2026-02-24T16:08:20.569Z",
"dateReserved": "2026-02-20T17:40:28.450Z",
"dateUpdated": "2026-02-24T16:08:20.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27585 (GCVE-0-2026-27585)
Vulnerability from cvelistv5 – Published: 2026-02-24 16:06 – Updated: 2026-02-24 16:06
VLAI?
Title
Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections
Summary
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| caddyserver | caddy |
Affected:
< 2.11.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "caddy",
"vendor": "caddyserver",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn\u0027t sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T16:06:05.030Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4"
},
{
"name": "https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361"
},
{
"name": "https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L398",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L398"
},
{
"name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"
}
],
"source": {
"advisory": "GHSA-4xrr-hq4w-6vf4",
"discovery": "UNKNOWN"
},
"title": "Caddy\u0027s improper sanitization of glob characters in file matcher may lead to bypassing security protections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27585",
"datePublished": "2026-02-24T16:06:05.030Z",
"dateReserved": "2026-02-20T17:40:28.450Z",
"dateUpdated": "2026-02-24T16:06:05.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}