github.com/caddyserver/caddy/v2
Go7 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting github.com/caddyserver/caddy/v2page 1 of 1
- CVE-2022-28923MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.5.0-beta.12023-02-06
Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs.
- CVE-2022-29718MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.5.02022-06-02
Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.
- CVE-2026-45135HIGHCVSS 8.1EG 8.1✓ Fixed in 2.11.32026-05-18
Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when …
- CVE-2026-45692LOWCVSS 3.8EG 3.8✓ Fixed in 2.11.32026-05-19
Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one confi…
- CVE-2026-52844HIGHCVSS 7.5EG 7.5✓ Fixed in 2.11.42026-06-16
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt o…
- CVE-2026-52845HIGHCVSS 8.1EG 8.1✓ Fixed in 2.11.42026-06-16
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request late…
- CVE-2026-52846MEDIUMCVSS 4.2EG 4.2✓ Fixed in 2.11.42026-06-16
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as <<>img src=x onerror=alert()>,…
Check whether github.com/caddyserver/caddy/v2 is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/caddyserver/caddy/v2 CVEs against the assets you own.
Start Free Scan →