caddyserver
Security Risk Profile
Security Risk Score
Comprehensive risk assessment based on 15 vulnerabilities, EPSS scores, exploitation status, and remediation availability.
📅 Data spans from November 10, 2018 to present
Threat Assessment
Severity Distribution
Exploit Likelihood
Age Distribution
Common Weaknesses (CWE)
Most Affected Products
Recent Vulnerabilities
See more →Caddy: vars_regexp double-expands user input, leaking env vars and files
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
Caddy: Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport
Caddy vulnerable to cross-origin config application via local admin API /load (caddy)
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass
Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass
Caddy's mTLS client authentication silently fails open when CA certificate file is missing or malformed
Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections
- Rapid Reset HTTP/2 vulnerability
Monitor caddyserver in Real-Time
Get instant alerts when new vulnerabilities are discovered. Stay ahead of security threats with SecAlerts.