Lucene search
K

4 matches found

ATTACKERKB
ATTACKERKB
added 2026/02/24 4:26 p.m.7 views

CVE-2026-27587

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences %xx it compares against the request's escaped path without lowercasing. An...

9.1CVSS5.5AI score0.0037EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/02/24 4:26 p.m.18 views

CVE-2026-27587

The CVE describes a vulnerability in Caddy’s path matching: before version 2.11.1, the HTTP path matcher is intended to be case-insensitive, but when the pattern contains percent-escape sequences (%xx) it compares against the request’s EscapedPath without lowercasing. This can allow bypassing rou...

9.1CVSS5.5AI score0.0037EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/02/24 4:26 p.m.27 views

CVE-2026-27587 Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences %xx it compares against the request's escaped path without lowercasing. An...

8.7CVSS0.0037EPSS
Exploits1References2
AlpineLinux
AlpineLinux
added 2026/02/24 4:26 p.m.7 views

CVE-2026-27587

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences %xx it compares against the request's escaped path without lowercasing. An...

9.1CVSS5.5AI score0.0037EPSS
Exploits1
Rows per page
Query Builder