CVE-2026-30852

>= 2.7.5 and < 2.11.2

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matc

7.5HIGH

CVE-2026-30851

>= 2.10.0 and < 2.11.2

Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_h

8.1HIGH

CVE-2026-27590

< 2.11.1

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic com

9.8CRITICAL

CVE-2026-27589

< 2.11.1

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default liste

6.5MEDIUM

CVE-2026-27588

>= 2.10.2 and < 2.11.1

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP host request matcher is d

9.1CRITICAL

CVE-2026-27587

>= 2.10.2 and < 2.11.1

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is i

9.1CRITICAL

CVE-2026-27586

< 2.11.1

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentic

9.1CRITICAL

CVE-2026-27585

< 2.11.1

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file ma

6.5MEDIUM

CVE-2023-49854

< 1.9.8

Cross-Site Request Forgery (CSRF) vulnerability in Tribe Interactive Caddy - Smart Side Cart for WooCommerce.This issue affects Ca

5.4MEDIUM

CVE-2023-50463

<= 0.6.0

The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to

6.5MEDIUM

CVE-2023-44487

< 2.7.5

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams q

7.5HIGH

CVE-2022-28923

all versions

Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing webs

6.1MEDIUM

CVE-2022-34037

all versions

An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a

7.5HIGH

CVE-2022-29718

>= 2.4.0 and < 2.5.0

Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerabil

6.1MEDIUM

CVE-2018-21246

< 0.10.3

Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the S

9.8CRITICAL

CVE-2018-19148

<= 0.11.0

Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostna

3.7LOW

CVE-2017-5963

all versions

An issue was discovered in caddy (for TYPO3) before 7.2.10. The vulnerability exists due to insufficient filtration of user-suppli

6.1MEDIUM