CVE-2026-27585
Improper sanitization of glob characters in github.com/caddyserver/caddy/v2
6.5
MEDIUM
CVSS 3.1
EPSS 0.12%
Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
How to fix CVE-2026-27585
To remediate CVE-2026-27585, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 2.11.1 or later
- —upgrade to 2.11.1 or later
Is CVE-2026-27585 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0
- from 0, < 2.11.1
- from 0, < 2.11.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |