Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

caddyserver — Vulnerabilities & Security Advisories 8

Browse all 8 CVE security advisories affecting caddyserver. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Caddyserver is an open-source web server with automatic HTTPS that primarily serves static content and reverse proxies. Historically, it has been susceptible to remote code execution, cross-site scripting, and privilege escalation vulnerabilities, often stemming from improper input validation and insecure default configurations. While no major security incidents have been widely documented, its 8 recorded CVEs highlight potential risks in areas like path traversal and request smuggling. The platform's security posture benefits from regular updates and a focus on simplicity, though deployments should implement proper access controls and input sanitization to mitigate identified weaknesses.

Found 8 results / 8Clear Filters
Top products by caddyserver: caddy
CVE IDTitleCVSSSeverityPublished
CVE-2026-30851 Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation — caddyCWE-287 8.1 High2026-03-07
CVE-2026-30852 Caddy: vars_regexp double-expands user input, leaking env vars and files — caddyCWE-200 9.1 -2026-03-07
CVE-2026-27590 Caddy: Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport — caddyCWE-20 9.8 -2026-02-24
CVE-2026-27589 Caddy vulnerable to cross-origin config application via local admin API /load (caddy) — caddyCWE-352 6.5 -2026-02-24
CVE-2026-27588 Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass — caddyCWE-178 9.1 -2026-02-24
CVE-2026-27587 Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass — caddyCWE-178 9.1 -2026-02-24
CVE-2026-27586 Caddy's mTLS client authentication silently fails open when CA certificate file is missing or malformed — caddyCWE-755 8.2 -2026-02-24
CVE-2026-27585 Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections — caddyCWE-20 9.1 -2026-02-24

This page lists every published CVE security advisory associated with caddyserver. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.