github.com/caddyserver/caddy
Go7 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting github.com/caddyserver/caddypage 1 of 1
- CVE-2018-19148LOWCVSS 3.7EG 3.7✓ Fixed in 0.11.12018-11-10
Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 …
- CVE-2018-21246CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.10.132020-06-15
Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.
- CVE-2022-29718MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.5.02022-06-02
Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.
- CVE-2022-34037HIGHCVSS 7.5EG 7.5✓ Fixed in 2.5.22022-07-22
An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Note: This has been disputed as a bug, not a security vulnerabili…
- CVE-2026-52844HIGHCVSS 7.5EG 7.52026-06-16
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt o…
- CVE-2026-52845HIGHCVSS 8.1EG 8.12026-06-16
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request late…
- CVE-2026-52846MEDIUMCVSS 4.2EG 4.22026-06-16
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as <<>img src=x onerror=alert()>,…
Check whether github.com/caddyserver/caddy is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/caddyserver/caddy CVEs against the assets you own.
Start Free Scan →