Every CVE whose affected-product data names Caddyserver Caddy, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (20)
CVE-2018-21246 — CVSS 9.8 (critical): Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the…
CVE-2026-27590 — CVSS 9.8 (critical): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the…
CVE-2026-27586 — CVSS 9.1 (critical): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.prov…
CVE-2026-27588 — CVSS 9.1 (critical): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented…
CVE-2026-27587 — CVSS 9.1 (critical): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended…
CVE-2026-52845 — CVSS 8.1 (high): Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact…
CVE-2026-30851 — CVSS 8.1 (high): Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers…
CVE-2026-45135 — CVSS 8.1 (high): Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in…
CVE-2026-52844 — CVSS 7.5 (high): Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt…
CVE-2026-30852 — CVSS 7.5 (high): Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in…
CVE-2022-34037 — CVSS 7.5 (high): An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial…
CVE-2026-27585 — CVSS 6.5 (medium): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher…
CVE-2026-27589 — CVSS 6.5 (medium): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen…
CVE-2023-50463 — CVSS 6.5 (medium): The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof…
CVE-2022-28923 — CVSS 6.1 (medium): Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via…
CVE-2022-29718 — CVSS 6.1 (medium): Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to…
CVE-2026-45692 — CVSS 5.4 (medium): Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal…
CVE-2026-52846 — CVSS 4.2 (medium): Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably…
CVE-2018-19148 — CVSS 3.7 (low): Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames…