CVE-2026-27585

Medium CVSS: 6.9

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.

Vendor

Caddyserver

Product

Caddy

CWE

CWE-20

Yayın Tarihi

2026-02-24 17:29:03

Güncelleme

2026-02-25 17:13:16

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-20 Caddy MEDIUM Caddyserver 2026

Referanslar

https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361 https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L398 https://github.com/caddyserver/caddy/releases/tag/v2.11.1 https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4

Benzer Kayıtlar

High

CVE-2026-30851

Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_a…

Medium

CVE-2026-30852

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_r…

High

CVE-2026-27588

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request ma…

Medium

CVE-2026-27589

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (def…

High

CVE-2026-27590

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting…

High

CVE-2026-27586

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `Clien…