Vulnerability: Improper sanitization of glob characters in file matcher may lead to bypassing security protections Affected Versions: < v2.11.0 Patched Versions: v2.11.0 Severity: Moderate CVE ID: CVE-2026-27585 Description Summary: The path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. Details: The try_files directive is used to rewrite the request URI. It accepts a list of patterns and checks if any files exist in the root that match the provided patterns. It's commonly used in Caddy configs. For example, it's used in SPA applications to rewrite every root that doesn't exist as a file to index.html. Impact: This vulnerability may allow an attacker to bypass security protections. It affects users with specific Caddy and environment configurations. PoC: A Proof of Concept (PoC) script is provided to demonstrate the vulnerability.