Where
-Infinity
0

Trending

Last week
Last month
Last year

Vendor Risk Score

See how caddyserver compares to other vendors in security performance

View Risk Score →

go/github.com/caddyserver/caddy/v2/modules/caddyhttpCaddy: vars_regexp double-expands user input, leaking env vars and files

Risk 31
Severity
7.5
EPSS
0.04%
First published (updated )
CVE-2026-30852

go/github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxyCaddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation

Risk 56
Severity
8.8
EPSS
0.02%
First published (updated )
CVE-2026-30851

CaddyCaddy: Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport

Risk 61
Severity
9.8
EPSS
0.19%
First published (updated )
CVE-2026-27590

CaddyCaddy vulnerable to cross-origin config application via local admin API /load (caddy)

Risk 28
Severity
6.9
EPSS
0.02%
First published (updated )
CVE-2026-27589

CaddyCaddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass

Risk 47
Severity
9.1
EPSS
0.04%
First published (updated )
CVE-2026-27588
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

CaddyCaddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass

Risk 47
Severity
9.1
EPSS
0.04%
First published (updated )
CVE-2026-27587

Caddy CaddyCaddy's mTLS client authentication silently fails open when CA certificate file is missing or malformed

Risk 47
Severity
9.1
EPSS
0.08%
First published (updated )
CVE-2026-27586

Caddy CaddyCaddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections

Risk 28
Severity
6.9
EPSS
0.10%
First published (updated )
CVE-2026-27585

go/github.com/shift72/caddy-geo-ipThe caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For…

Risk 38
Severity
6.5
First published (updated )
CVE-2023-50463

Apache Tomcat- Rapid Reset HTTP/2 vulnerability

Risk 65
Severity
7.5
Exploited
Zeroday
First published (updated )
CVE-2023-44487
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

go/github.com/caddyserver/caddy/v2Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to r…

Risk 39
Severity
6.1
First published (updated )
CVE-2022-28923

go/github.com/caddyserver/caddyAn out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5…

Risk 45
Severity
7.5
First published (updated )
CVE-2022-34037

caddyserver CaddyCaddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attack…

Risk 38
Severity
6.1
First published (updated )
CVE-2022-29718

caddyserver CaddyCaddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypa…

Risk 86
Severity
9.8
First published (updated )
CVE-2018-21246

go/github.com/caddyserver/caddyInfoleak

Risk 23
Severity
4.3
First published (updated )
CVE-2018-19148
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203