Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Information Disclosure
Caddy
NVD
GitHub
CVSS 3.0
3.7
EPSS
0.9%