github.com/caddyserver/caddy/v2 (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/caddyserver/caddy/v2, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (15)
CVE-2026-27590 — CVSS 9.8 (critical): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the…
CVE-2026-27587 — CVSS 9.1 (critical): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended…
CVE-2026-27588 — CVSS 9.1 (critical): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented…
CVE-2026-27586 — CVSS 9.1 (critical): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.prov…
CVE-2026-45135 — CVSS 8.1 (high): Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in…
CVE-2026-30851 — CVSS 8.1 (high): Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers…
CVE-2026-52845 — CVSS 8.1 (high): Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact…
CVE-2026-52844 — CVSS 7.5 (high): Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt…
CVE-2026-30852 — CVSS 7.5 (high): Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in…
CVE-2026-27585 — CVSS 6.5 (medium): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher…
CVE-2026-27589 — CVSS 6.5 (medium): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen…
CVE-2022-28923 — CVSS 6.1 (medium): Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via…
CVE-2022-29718 — CVSS 6.1 (medium): Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to…
CVE-2026-45692 — CVSS 5.4 (medium): Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal…
CVE-2026-52846 — CVSS 4.2 (medium): Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably…