GO-2026-4538 Caddy MatchPath %xx branch skips case normalization in github.com/caddyserver/caddy/v2

Caddy MatchPath %xx branch skips case normalization in github.com/caddyserver/caddy/v2...

CVE-2026-27587 Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences %xx it compares against the request's escaped path without lowercasing. An...

CVE-2026-27587 Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences %xx it compares against the request's escaped path without lowercasing. An...

CVE-2026-27587

The CVE describes a vulnerability in Caddy’s path matching: before version 2.11.1, the HTTP path matcher is intended to be case-insensitive, but when the pattern contains percent-escape sequences (%xx) it compares against the request’s EscapedPath without lowercasing. This can allow bypassing rou...

PYSEC-2025-118

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List ACL for file paths can be bypassed by altering the letter case of a blocked file or directory path. This...

CVE-2025-23042 Gradio Blocked Path ACL Bypass Vulnerability

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List ACL for file paths can be bypassed by altering the letter case of a blocked file or directory path. This...

CVE-2025-23042

Gradio Blocked Path ACL bypass vulnerability (CVE-2025-23042) arises from missing case normalization in file-path validation. On case-insensitive file systems (e.g., Windows/macOS), an attacker can circumvent ACLs by altering the letter case of a blocked path, potentially accessing restricted fil...

Authorization Policy Bypass Due to Case Insensitive Host Comparison

Impact According to RFC 4343, Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The Envoy proxy will route the request hostname in a case-insensitive way which means the authorization policy...