← Voltar para CVEs
CVE-2026-27585
MEDIUM6.5
Descricao
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
Detalhes CVE
Pontuacao CVSS v3.16.5
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado2/24/2026
Ultima modificacao2/25/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
caddyserver:caddy
Fraquezas (CWE)
CWE-20
Referencias
https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361(security-advisories@github.com)
https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L398(security-advisories@github.com)
https://github.com/caddyserver/caddy/releases/tag/v2.11.1(security-advisories@github.com)
https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.