Moderate: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: caddy: caddy-2.11.3-0.1.hum1 aarch64, x8664 caddy-2.11.3-0.1.hum1.src src...

Header Injection

Overview Affected versions of this package are vulnerable to Header Injection in the varsregexp matcher. An attacker can access sensitive environment variables, file contents, or system information by injecting specially crafted placeholders such as env. or file. into HTTP request headers, which...

GO-2026-4539 Caddy mTLS authentication fails open in github.com/caddyserver/caddy/v2

Caddy mTLS authentication fails open in github.com/caddyserver/caddy/v2...

GO-2026-4538 Caddy MatchPath %xx branch skips case normalization in github.com/caddyserver/caddy/v2

Caddy MatchPath %xx branch skips case normalization in github.com/caddyserver/caddy/v2...

CVE-2026-27585 Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations...

📄 Caddy 2.10.0 Server-Side Request Forgery

Caddy version 2.10.0 suffers from a server-side request forgery vulnerability via a JSON configuration injection. Exploit Title: Caddy 2.10.0 - Admin API SSRF via JSON Config Injection Date: 2025-07-10 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://caddyserver.com/ Software Link:...

PT-2023-31567 · Caddy · Caddy-Geo-Ip

Name of the Vulnerable Software and Affected Versions: caddy-geo-ip versions 0.6.0 and earlier for Caddy 2 Description: The issue allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism, such as the trusted proxy directive in revers...