FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

caddy -- multiple vulnerabilities

Affected packages
caddy < 2.11.4

Details

VuXML ID 94f93681-6775-11f1-8044-002590af0794
Discovery 2026-06-08
Entry 2026-06-13

Caddy project reports:

Caddy 2.11.4 contains multiple security fixes.

[source]

GitHub Security Advisory GHSA-qrp7-cvwr-j2c6 reports:

Windows-encoded backslashes in request paths could bypass path-scoped authorization rules before files are served by file_server.

[source]

GitHub Security Advisory GHSA-f59h-q822-g45g reports:

forward_auth copy_headers could fail to remove underscore aliases of copied identity headers before FastCGI header normalization, allowing identity or group header spoofing.

[source]

GitHub Security Advisory GHSA-vcc4-2c75-vc9v reports:

The stripHTML template function could fail to remove malformed HTML, potentially allowing client-side cross-site scripting if untrusted output is later rendered as HTML.

[source]

References

CVE Name CVE-2026-52844
CVE Name CVE-2026-52845
CVE Name CVE-2026-52846
URL https://github.com/caddyserver/caddy/releases/tag/v2.11.4
URL https://github.com/caddyserver/caddy/security/advisories/GHSA-f59h-q822-g45g
URL https://github.com/caddyserver/caddy/security/advisories/GHSA-qrp7-cvwr-j2c6
URL https://github.com/caddyserver/caddy/security/advisories/GHSA-vcc4-2c75-vc9v

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.