Security: caddyserver/caddy
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
vars_regexp double-expands user input, leaking env vars and filesGHSA-m2w3-8f23-hxxf published
Mar 6, 2026 by mholtModerate -
Improper sanitization of glob characters in file matcher may lead to bypassing security protectionsGHSA-4xrr-hq4w-6vf4 published
Feb 23, 2026 by mholtModerate -
mTLS client authentication silently fails open when CA certificate file is missing or malformedGHSA-hffm-g8v7-wrv7 published
Feb 23, 2026 by mholtHigh -
Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypassGHSA-g7pc-pc7g-h8jh published
Feb 23, 2026 by mholtModerate -
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypassGHSA-x76f-jf84-rqj8 published
Feb 23, 2026 by mholtModerate -
cross-origin config application via local admin API /load (caddy)GHSA-879p-475x-rqh2 published
Feb 23, 2026 by mholtModerate -
Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transportGHSA-5r3v-vc8m-m96g published
Feb 23, 2026 by mholtHigh