VDB
CVE-2026-27585
CVE-2026-27585
PUBLISHED
CVSS 6.900000095367432 MEDIUM
Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections
EPSS 0.12% · 30.9th percentile
Risk Scores
CVSS v4.0
6.900000095367432
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
EPSS Score
0.12%
30.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| caddyserver | caddy | < 2.11.1, 0, 0 |
| github.com | caddyserver/caddy/v2 | 0, 0 |
Timeline
- Feb 20, 2026 CVE ID Reserved
- Feb 24, 2026 CVE Published
- Feb 25, 2026 EPSS Score
- Feb 25, 2026 PoC Published
- Feb 26, 2026 EPSS Score
- Feb 27, 2026 CVE Updated
- Feb 28, 2026 EPSS Score
- Mar 1, 2026 EPSS Score
- Mar 3, 2026 EPSS Score
- Mar 4, 2026 EPSS Score
- Mar 6, 2026 EPSS Score
- Mar 7, 2026 EPSS Score
References
- https://pkg.go.dev/vuln/GO-2026-4535 url
- https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4 url
- https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361 url
- https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L398 url
- https://github.com/caddyserver/caddy/releases/tag/v2.11.1 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-27585 advisory
- https://caddyserver.com/docs/caddyfile/directives#directive-order url
- https://github.com/caddyserver/caddy package