Skip to main content

Caddy

14 CVEs product

Monthly

CVE-2026-30852 Go HIGH POC PATCH This Week

{env.DATABASE_URL} or {file./etc/passwd} into request headers, an unauthenticated attacker can leak sensitive system information. Public exploit code exists for this vulnerability, which is fixed in version 2.11.2.

TLS Caddy Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30851 Go HIGH POC PATCH This Week

Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, enabling authenticated attackers to inject identity headers and escalate privileges. This authentication bypass vulnerability affects deployments relying on Caddy for request forwarding and has public exploit code available. The vulnerability requires valid authentication credentials but allows complete privilege elevation within affected systems.

TLS Privilege Escalation Caddy Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-27590 Go CRITICAL POC PATCH Act Now

FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to FastCGI backends (PHP-FPM). EPSS 0.19% with PoC available.

PHP TLS RCE Caddy Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-27589 Go MEDIUM POC PATCH This Month

Caddy versions prior to 2.11.1 allow unauthenticated cross-origin requests to the admin API when origin enforcement is disabled, enabling attackers to remotely reconfigure the server through malicious web content loaded in a victim's browser. Public exploit code exists for this vulnerability, which can be leveraged to modify HTTP server behavior and admin listener settings without user knowledge. The vulnerability affects Caddy and TLS implementations, with no patch currently available for affected versions.

TLS Caddy Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27588 Go CRITICAL POC PATCH Act Now

Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casing in the Host header. PoC available.

TLS Caddy Suse
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-27587 Go CRITICAL POC PATCH Act Now

Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using alternate casing on case-insensitive filesystems. PoC available.

TLS Caddy Suse
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-27586 Go CRITICAL POC PATCH Act Now

TLS error swallowing in Caddy web server before 2.11.1 allows bypassing client certificate authentication. Errors in ClientCAs handling are silenced, potentially accepting invalid client certificates. PoC available.

TLS Caddy Suse
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-27585 Go MEDIUM POC PATCH This Month

Caddy versions prior to 2.11.1 fail to sanitize backslashes in file path matching, allowing attackers to bypass path-based security controls through specially crafted requests. The vulnerability affects systems with specific Caddy configurations and has public exploit code available. Exploitation requires network access with no authentication, resulting in limited information disclosure or modification of restricted resources.

TLS Caddy Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2023-49854 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Tribe Interactive Caddy - Smart Side Cart for WooCommerce.9.7. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF Caddy
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2023-50463 Go MEDIUM This Month

The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Caddy
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-34037 HIGH POC This Week

An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Denial Of Service Buffer Overflow Caddy
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-29718 Go MEDIUM PATCH This Month

Caddy v2.4 was discovered to contain an open redirect vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Open Redirect Caddy
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2018-19148 Go LOW POC PATCH Monitor

Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Caddy
NVD GitHub
CVSS 3.0
3.7
EPSS
0.9%
CVE-2017-5963 MEDIUM POC This Month

An issue was discovered in caddy (for TYPO3) before 7.2.10. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Caddy
NVD
CVSS 3.0
6.1
EPSS
0.2%
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

{env.DATABASE_URL} or {file./etc/passwd} into request headers, an unauthenticated attacker can leak sensitive system information. Public exploit code exists for this vulnerability, which is fixed in version 2.11.2.

TLS Caddy Suse
NVD GitHub
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, enabling authenticated attackers to inject identity headers and escalate privileges. This authentication bypass vulnerability affects deployments relying on Caddy for request forwarding and has public exploit code available. The vulnerability requires valid authentication credentials but allows complete privilege elevation within affected systems.

TLS Privilege Escalation Caddy +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to FastCGI backends (PHP-FPM). EPSS 0.19% with PoC available.

PHP TLS RCE +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Caddy versions prior to 2.11.1 allow unauthenticated cross-origin requests to the admin API when origin enforcement is disabled, enabling attackers to remotely reconfigure the server through malicious web content loaded in a victim's browser. Public exploit code exists for this vulnerability, which can be leveraged to modify HTTP server behavior and admin listener settings without user knowledge. The vulnerability affects Caddy and TLS implementations, with no patch currently available for affected versions.

TLS Caddy Suse
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casing in the Host header. PoC available.

TLS Caddy Suse
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using alternate casing on case-insensitive filesystems. PoC available.

TLS Caddy Suse
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

TLS error swallowing in Caddy web server before 2.11.1 allows bypassing client certificate authentication. Errors in ClientCAs handling are silenced, potentially accepting invalid client certificates. PoC available.

TLS Caddy Suse
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Caddy versions prior to 2.11.1 fail to sanitize backslashes in file path matching, allowing attackers to bypass path-based security controls through specially crafted requests. The vulnerability affects systems with specific Caddy configurations and has public exploit code available. Exploitation requires network access with no authentication, resulting in limited information disclosure or modification of restricted resources.

TLS Caddy Suse
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Tribe Interactive Caddy - Smart Side Cart for WooCommerce.9.7. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF Caddy
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Caddy
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Denial Of Service Buffer Overflow +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Caddy v2.4 was discovered to contain an open redirect vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Open Redirect Caddy
NVD GitHub
EPSS 1% CVSS 3.7
LOW POC PATCH Monitor

Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Caddy
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

An issue was discovered in caddy (for TYPO3) before 7.2.10. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Caddy
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy