CVE-2026-52844

medium

Description

Caddy project reports: Caddy 2.11.4 contains multiple security fixes. GitHub Security Advisory GHSA-qrp7-cvwr-j2c6 reports: Windows-encoded backslashes in request paths could bypass path-scoped authorization rules before files are served by file_server. GitHub Security Advisory GHSA-f59h-q822-g45g reports: forward_auth copy_headers could fail to remove underscore aliases of copied identity headers before FastCGI header normalization, allowing identity or group header spoofing. GitHub Security Advisory GHSA-vcc4-2c75-vc9v reports: The stripHTML template function could fail to remove malformed HTML, potentially allowing client-side cross-site scripting if untrusted output is later rendered as HTML.

Details

Source: Mitre, NVD

Published: 2026-06-13

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00029

Detections

Analytics