Go modules package
github.com/caddyserver/caddy/v2
pkg:golang/github.com/caddyserver/caddy/v2
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-27590 | — | < 2.11.1 | 2.11.1 | Feb 24, 2026 | Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode be | ||
| CVE-2026-27589 | — | < 2.11.1 | 2.11.1 | Feb 24, 2026 | Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enab | ||
| CVE-2026-27588 | — | < 2.11.1 | 2.11.1 | Feb 24, 2026 | Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. | ||
| CVE-2026-27587 | — | < 2.11.1 | 2.11.1 | Feb 24, 2026 | Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path wi | ||
| CVE-2026-27586 | — | < 2.11.1 | 2.11.1 | Feb 24, 2026 | Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. | ||
| CVE-2026-27585 | — | < 2.11.1 | 2.11.1 | Feb 24, 2026 | Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment | ||
| CVE-2022-28923 | — | < 2.5.0-beta.1 | 2.5.0-beta.1 | Feb 6, 2023 | Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs. | ||
| CVE-2022-29718 | — | < 2.5.0 | 2.5.0 | Jun 2, 2022 | Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links. |
- CVE-2026-27590Feb 24, 2026affected < 2.11.1fixed 2.11.1
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode be
- CVE-2026-27589Feb 24, 2026affected < 2.11.1fixed 2.11.1
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enab
- CVE-2026-27588Feb 24, 2026affected < 2.11.1fixed 2.11.1
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path.
- CVE-2026-27587Feb 24, 2026affected < 2.11.1fixed 2.11.1
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path wi
- CVE-2026-27586Feb 24, 2026affected < 2.11.1fixed 2.11.1
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed.
- CVE-2026-27585Feb 24, 2026affected < 2.11.1fixed 2.11.1
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment
- CVE-2022-28923Feb 6, 2023affected < 2.5.0-beta.1fixed 2.5.0-beta.1
Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs.
- CVE-2022-29718Jun 2, 2022affected < 2.5.0fixed 2.5.0
Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.