2 matches found
CVE-2026-27588
A flaw was found in Caddy's HTTP host request matcher. When Caddy is configured with a large list of host entries, its host matching becomes unexpectedly case-sensitive instead of case-insensitive as documented. A remote attacker can exploit this by altering the casing of the Host header in HTTP...
DEBIAN-CVE-2026-27588
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list 100 entries it becomes case-sensitive due to an optimized matching path. An attacker can bypass...