github.com/caddyserver/caddy (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/caddyserver/caddy, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (7)
CVE-2018-21246 — CVSS 9.8 (critical): Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the…
CVE-2026-52845 — CVSS 8.1 (high): Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact…
CVE-2022-34037 — CVSS 7.5 (high): An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial…
CVE-2026-52844 — CVSS 7.5 (high): Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt…
CVE-2022-29718 — CVSS 6.1 (medium): Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to…
CVE-2026-52846 — CVSS 4.2 (medium): Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably…
CVE-2018-19148 — CVSS 3.7 (low): Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames…