CVE-2026-27585

← CVEs

MED 6.5

Published

2026-02-24

Last Modified

2026-02-25

Affected Apps

Affected Devices

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.

Affected Applications in Environment 2

Caddy v2.10.0

1 device

server v1.0.0.0

1 device

Affected Devices 2

EBB107-01 Windows EMBARK01 Windows

References 4

https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361
https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L398
https://github.com/caddyserver/caddy/releases/tag/v2.11.1
https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4