4 matches found
CVE-2026-27587
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences %xx it compares against the request's escaped path without lowercasing. An...
CVE-2026-27587
The CVE describes a vulnerability in Caddy’s path matching: before version 2.11.1, the HTTP path matcher is intended to be case-insensitive, but when the pattern contains percent-escape sequences (%xx) it compares against the request’s EscapedPath without lowercasing. This can allow bypassing rou...
CVE-2026-27587 Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences %xx it compares against the request's escaped path without lowercasing. An...
CVE-2026-27587
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences %xx it compares against the request's escaped path without lowercasing. An...