关键漏洞信息 CVE ID: CVE-2026-27590 Severity: High Package: Affected Versions: < v2.11.0 Patched Versions: v2.11.0 Summary: - The vulnerability arises from Caddy's FastCGI path splitting logic using a lowercased copy of the request path, causing issues with UTF-8 byte length changes in certain Unicode characters. This leads to incorrect / and , potentially allowing path confusion and unintended PHP execution of non-.php files. PoC: - A Go program is provided to demonstrate the incorrect calculation of the split point on a lowercased path. Impact: - Security boundary bypass/path confusion in script resolution. - Potential remote code execution depending on deployment and attacker-controlled file writes.