What is the CVSS score of CVE-2026-27587?

CVE-2026-27587 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of TLS are affected by CVE-2026-27587?

A critical vulnerability in Caddy web servers (CVE-2026-27587) allows attackers to bypass path-based access controls through case-sensitivity mishandling in URL encoding, potentially exposing…. A patch is available.

Is there a public PoC exploit available for CVE-2026-27587?

Yes, a public proof-of-concept exploit is available for CVE-2026-27587. Prioritise patching immediately. EPSS: 0.0%.

TLS CVE-2026-27587

CRITICAL

Improper Handling of Case Sensitivity (CWE-178)

2026-02-24 security-advisories@github.com

GHSA-g7pc-pc7g-h8jh

TLS Caddy Suse

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 25, 2026 - 17:11 vuln.today

Public exploit code

CVE Published

Feb 24, 2026 - 17:29 nvd

CRITICAL 9.1

DescriptionNVD

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (%xx) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.

AnalysisAI

Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using alternate casing on case-insensitive filesystems. …

RemediationAI

Within 24 hours: inventory all Caddy instances and their versions; disable or restrict HTTP path matchers containing percent-escape sequences if operationally feasible; enable enhanced logging on path-based access controls. Within 7 days: implement WAF rules to normalize and validate URL encoding before requests reach Caddy; segment affected systems from sensitive data stores; establish daily vulnerability scanning. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-27587 vulnerability details – vuln.today

Back

TLS CVE-2026-27587

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code