{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-27590", "tracking": { "current_release_date": "2026-03-27T20:51:17.258325Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-27590", "initial_release_date": "2026-02-24T17:52:43.606148Z", "revision_history": [ { "date": "2026-02-24T17:52:43.606148Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (3).| CWES updated (1)." }, { "date": "2026-02-24T17:52:47.242300Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-02-24T18:26:39.035501Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-02-24T18:26:42.098407Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-02-24T20:39:51.663441Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (5).| CWES updated (1)." }, { "date": "2026-02-24T20:40:05.049072Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-02-25T00:12:44.558590Z", "number": "7", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (4).| CWES updated (1)." }, { "date": "2026-02-25T00:12:46.808475Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-02-25T00:12:55.232569Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (4).| CWES updated (1)." }, { "date": "2026-02-25T00:22:12.896356Z", "number": "10", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (94).| References created (5).| CWES updated (1)." }, { "date": "2026-02-25T00:42:41.969300Z", "number": "11", "summary": "Source created.| CVE status created. (valid)| Products connected (1)." }, { "date": "2026-02-25T06:42:55.692601Z", "number": "12", "summary": "Description created for source." }, { "date": "2026-02-25T15:13:51.645380Z", "number": "13", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-02-25T15:13:53.809239Z", "number": "14", "summary": "NCSC Score updated." }, { "date": "2026-02-25T17:28:08.761035Z", "number": "15", "summary": "CVSS created.| Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-02-25T17:28:10.470896Z", "number": "16", "summary": "NCSC Score updated." }, { "date": "2026-02-25T22:20:27.286534Z", "number": "17", "summary": "NCSC Score updated." }, { "date": "2026-02-27T00:12:57.072081Z", "number": "18", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (3)." }, { "date": "2026-02-27T00:12:58.321932Z", "number": "19", "summary": "NCSC Score updated." }, { "date": "2026-02-27T20:39:34.699819Z", "number": "20", "summary": "References created (1)." }, { "date": "2026-02-27T20:39:42.068412Z", "number": "21", "summary": "NCSC Score updated." }, { "date": "2026-02-27T21:39:06.221415Z", "number": "22", "summary": "Unknown change." }, { "date": "2026-02-28T00:12:41.257132Z", "number": "23", "summary": "References created (1)." }, { "date": "2026-02-28T06:23:18.934216Z", "number": "24", "summary": "Products connected (94)." }, { "date": "2026-02-28T16:09:55.494500Z", "number": "25", "summary": "Products removed (94)." }, { "date": "2026-03-20T09:40:37.424046Z", "number": "26", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T09:40:40.139172Z", "number": "27", "summary": "NCSC Score updated." }, { "date": "2026-03-26T02:10:29.270759Z", "number": "28", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (12).| Product Identifiers created (10).| References created (5)." }, { "date": "2026-03-26T02:10:32.170817Z", "number": "29", "summary": "NCSC Score updated." }, { "date": "2026-03-26T18:47:57.911118Z", "number": "30", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (2).| References created (7).| CWES updated (1)." }, { "date": "2026-03-26T18:48:00.294835Z", "number": "31", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (2).| References created (6).| CWES updated (1)." }, { "date": "2026-03-26T18:48:01.948359Z", "number": "32", "summary": "NCSC Score updated." }, { "date": "2026-03-27T20:51:16.454533Z", "number": "33", "summary": "NCSC Score updated." } ], "status": "interim", "version": "33" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<2.11.1", "product": { "name": "vers:unknown/<2.11.1", "product_id": "CSAFPID-5688699", "product_identification_helper": { "cpe": "cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<2.11.1", "product": { "name": "vers:unknown/>=0|<2.11.1", "product_id": "CSAFPID-5700114" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0", "product": { "name": "vers:unknown/v2.0.0", "product_id": "CSAFPID-4034332" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.13", "product": { "name": "vers:unknown/v2.0.0-beta.13", "product_id": "CSAFPID-4034342" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.14", "product": { "name": "vers:unknown/v2.0.0-beta.14", "product_id": "CSAFPID-4034343" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.15", "product": { "name": "vers:unknown/v2.0.0-beta.15", "product_id": "CSAFPID-4034344" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.16", "product": { "name": "vers:unknown/v2.0.0-beta.16", "product_id": "CSAFPID-4034345" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.17", "product": { "name": "vers:unknown/v2.0.0-beta.17", "product_id": "CSAFPID-4034346" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.18", "product": { "name": "vers:unknown/v2.0.0-beta.18", "product_id": "CSAFPID-4034347" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.19", "product": { "name": "vers:unknown/v2.0.0-beta.19", "product_id": "CSAFPID-4034348" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta.20", "product": { "name": "vers:unknown/v2.0.0-beta.20", "product_id": "CSAFPID-4034349" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta1", "product": { "name": "vers:unknown/v2.0.0-beta1", "product_id": "CSAFPID-4034350" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta10", "product": { "name": "vers:unknown/v2.0.0-beta10", "product_id": "CSAFPID-4034351" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta11", "product": { "name": "vers:unknown/v2.0.0-beta11", "product_id": "CSAFPID-4034352" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta12", "product": { "name": "vers:unknown/v2.0.0-beta12", "product_id": "CSAFPID-4034353" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta2", "product": { "name": "vers:unknown/v2.0.0-beta2", "product_id": "CSAFPID-4034354" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta3", "product": { "name": "vers:unknown/v2.0.0-beta3", "product_id": "CSAFPID-4034355" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta4", "product": { "name": "vers:unknown/v2.0.0-beta4", "product_id": "CSAFPID-4034356" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta5", "product": { "name": "vers:unknown/v2.0.0-beta5", "product_id": "CSAFPID-4034357" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta6", "product": { "name": "vers:unknown/v2.0.0-beta6", "product_id": "CSAFPID-4034358" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta7", "product": { "name": "vers:unknown/v2.0.0-beta7", "product_id": "CSAFPID-4034359" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta8", "product": { "name": "vers:unknown/v2.0.0-beta8", "product_id": "CSAFPID-4034360" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-beta9", "product": { "name": "vers:unknown/v2.0.0-beta9", "product_id": "CSAFPID-4034361" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-rc.1", "product": { "name": "vers:unknown/v2.0.0-rc.1", "product_id": "CSAFPID-4034362" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-rc.2", "product": { "name": "vers:unknown/v2.0.0-rc.2", "product_id": "CSAFPID-4034363" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0-rc.3", "product": { "name": "vers:unknown/v2.0.0-rc.3", "product_id": "CSAFPID-4034364" } }, { "category": "product_version_range", "name": "vers:unknown/v2.1.0", "product": { "name": "vers:unknown/v2.1.0", "product_id": "CSAFPID-4034378" } }, { "category": "product_version_range", "name": "vers:unknown/v2.1.0-beta.1", "product": { "name": "vers:unknown/v2.1.0-beta.1", "product_id": "CSAFPID-4034379" } }, { "category": "product_version_range", "name": "vers:unknown/v2.1.0-beta.2", "product": { "name": "vers:unknown/v2.1.0-beta.2", "product_id": "CSAFPID-4034380" } }, { "category": "product_version_range", "name": "vers:unknown/v2.1.1", "product": { "name": "vers:unknown/v2.1.1", "product_id": "CSAFPID-4034387" } }, { "category": "product_version_range", "name": "vers:unknown/v2.10.0", "product": { "name": "vers:unknown/v2.10.0", "product_id": "CSAFPID-5700154" } }, { "category": "product_version_range", "name": "vers:unknown/v2.10.0-beta.1", "product": { "name": "vers:unknown/v2.10.0-beta.1", "product_id": "CSAFPID-5700155" } }, { "category": "product_version_range", "name": "vers:unknown/v2.10.0-beta.2", "product": { "name": "vers:unknown/v2.10.0-beta.2", "product_id": "CSAFPID-5700156" } }, { "category": "product_version_range", "name": "vers:unknown/v2.10.0-beta.3", "product": { "name": "vers:unknown/v2.10.0-beta.3", "product_id": "CSAFPID-5700157" } }, { "category": "product_version_range", "name": "vers:unknown/v2.10.0-beta.4", "product": { "name": "vers:unknown/v2.10.0-beta.4", "product_id": "CSAFPID-5700158" } }, { "category": "product_version_range", "name": "vers:unknown/v2.10.1", "product": { "name": "vers:unknown/v2.10.1", "product_id": "CSAFPID-5700159" } }, { "category": "product_version_range", "name": "vers:unknown/v2.10.2", "product": { "name": "vers:unknown/v2.10.2", "product_id": "CSAFPID-5700160" } }, { "category": "product_version_range", "name": "vers:unknown/v2.11.0", "product": { "name": "vers:unknown/v2.11.0", "product_id": "CSAFPID-5700161" } }, { "category": "product_version_range", "name": "vers:unknown/v2.11.0-beta.1", "product": { "name": "vers:unknown/v2.11.0-beta.1", "product_id": "CSAFPID-5700162" } }, { "category": "product_version_range", "name": "vers:unknown/v2.11.0-beta.2", "product": { "name": "vers:unknown/v2.11.0-beta.2", "product_id": "CSAFPID-5700163" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.0", "product": { "name": "vers:unknown/v2.2.0", "product_id": "CSAFPID-4034396" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.0-rc.1", "product": { "name": "vers:unknown/v2.2.0-rc.1", "product_id": "CSAFPID-4034400" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.0-rc.2", "product": { "name": "vers:unknown/v2.2.0-rc.2", "product_id": "CSAFPID-4034401" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.0-rc.3", "product": { "name": "vers:unknown/v2.2.0-rc.3", "product_id": "CSAFPID-4034402" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.1", "product": { "name": "vers:unknown/v2.2.1", "product_id": "CSAFPID-4034407" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.3", "product": { "name": "vers:unknown/v2.2.3", "product_id": "CSAFPID-4034411" } }, { "category": "product_version_range", "name": "vers:unknown/v2.3.0", "product": { "name": "vers:unknown/v2.3.0", "product_id": "CSAFPID-4034417" } }, { "category": "product_version_range", "name": "vers:unknown/v2.3.0-beta.1", "product": { "name": "vers:unknown/v2.3.0-beta.1", "product_id": "CSAFPID-4034418" } }, { "category": "product_version_range", "name": "vers:unknown/v2.3.0-rc.1", "product": { "name": "vers:unknown/v2.3.0-rc.1", "product_id": "CSAFPID-4034419" } }, { "category": "product_version_range", "name": "vers:unknown/v2.3.0-rc.2", "product": { "name": "vers:unknown/v2.3.0-rc.2", "product_id": "CSAFPID-4034420" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.0", "product": { "name": "vers:unknown/v2.4.0", "product_id": "CSAFPID-4034435" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.0-beta.1", "product": { "name": "vers:unknown/v2.4.0-beta.1", "product_id": "CSAFPID-4034436" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.0-beta.2", "product": { "name": "vers:unknown/v2.4.0-beta.2", "product_id": "CSAFPID-4034437" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.0-rc.1", "product": { "name": "vers:unknown/v2.4.0-rc.1", "product_id": "CSAFPID-4034438" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.1", "product": { "name": "vers:unknown/v2.4.1", "product_id": "CSAFPID-4034441" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.2", "product": { "name": "vers:unknown/v2.4.2", "product_id": "CSAFPID-4034447" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.3", "product": { "name": "vers:unknown/v2.4.3", "product_id": "CSAFPID-4034448" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.4", "product": { "name": "vers:unknown/v2.4.4", "product_id": "CSAFPID-4034449" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.5", "product": { "name": "vers:unknown/v2.4.5", "product_id": "CSAFPID-4034450" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.6", "product": { "name": "vers:unknown/v2.4.6", "product_id": "CSAFPID-4034451" } }, { "category": "product_version_range", "name": "vers:unknown/v2.5.0", "product": { "name": "vers:unknown/v2.5.0", "product_id": "CSAFPID-4034455" } }, { "category": "product_version_range", "name": "vers:unknown/v2.5.0-beta.1", "product": { "name": "vers:unknown/v2.5.0-beta.1", "product_id": "CSAFPID-4034456" } }, { "category": "product_version_range", "name": "vers:unknown/v2.5.0-rc.1", "product": { "name": "vers:unknown/v2.5.0-rc.1", "product_id": "CSAFPID-4034457" } }, { "category": "product_version_range", "name": "vers:unknown/v2.5.1", "product": { "name": "vers:unknown/v2.5.1", "product_id": "CSAFPID-4034464" } }, { "category": "product_version_range", "name": "vers:unknown/v2.5.2", "product": { "name": "vers:unknown/v2.5.2", "product_id": "CSAFPID-4034465" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.0", "product": { "name": "vers:unknown/v2.6.0", "product_id": "CSAFPID-4034466" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.0-beta.1", "product": { "name": "vers:unknown/v2.6.0-beta.1", "product_id": "CSAFPID-4034467" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.0-beta.2", "product": { "name": "vers:unknown/v2.6.0-beta.2", "product_id": "CSAFPID-4034468" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.0-beta.3", "product": { "name": "vers:unknown/v2.6.0-beta.3", "product_id": "CSAFPID-4034469" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.0-beta.4", "product": { "name": "vers:unknown/v2.6.0-beta.4", "product_id": "CSAFPID-4034470" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.0-beta.5", "product": { "name": "vers:unknown/v2.6.0-beta.5", "product_id": "CSAFPID-4034471" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.1", "product": { "name": "vers:unknown/v2.6.1", "product_id": "CSAFPID-4034472" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.2", "product": { "name": "vers:unknown/v2.6.2", "product_id": "CSAFPID-4034473" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.3", "product": { "name": "vers:unknown/v2.6.3", "product_id": "CSAFPID-4034474" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.4", "product": { "name": "vers:unknown/v2.6.4", "product_id": "CSAFPID-4034475" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.0", "product": { "name": "vers:unknown/v2.7.0", "product_id": "CSAFPID-4034476" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.0-beta.1", "product": { "name": "vers:unknown/v2.7.0-beta.1", "product_id": "CSAFPID-4034477" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.0-beta.2", "product": { "name": "vers:unknown/v2.7.0-beta.2", "product_id": "CSAFPID-4034478" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.1", "product": { "name": "vers:unknown/v2.7.1", "product_id": "CSAFPID-4034479" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.2", "product": { "name": "vers:unknown/v2.7.2", "product_id": "CSAFPID-4034480" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.3", "product": { "name": "vers:unknown/v2.7.3", "product_id": "CSAFPID-4034481" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.4", "product": { "name": "vers:unknown/v2.7.4", "product_id": "CSAFPID-4034482" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.5", "product": { "name": "vers:unknown/v2.7.5", "product_id": "CSAFPID-5700164" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.0", "product": { "name": "vers:unknown/v2.8.0", "product_id": "CSAFPID-5700165" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.0-beta.1", "product": { "name": "vers:unknown/v2.8.0-beta.1", "product_id": "CSAFPID-5700166" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.0-beta.2", "product": { "name": "vers:unknown/v2.8.0-beta.2", "product_id": "CSAFPID-5700167" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.0-rc.1", "product": { "name": "vers:unknown/v2.8.0-rc.1", "product_id": "CSAFPID-5700168" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.1", "product": { "name": "vers:unknown/v2.8.1", "product_id": "CSAFPID-5700169" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.2", "product": { "name": "vers:unknown/v2.8.2", "product_id": "CSAFPID-5700170" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.3", "product": { "name": "vers:unknown/v2.8.3", "product_id": "CSAFPID-5700171" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.4", "product": { "name": "vers:unknown/v2.8.4", "product_id": "CSAFPID-5700172" } }, { "category": "product_version_range", "name": "vers:unknown/v2.9.0", "product": { "name": "vers:unknown/v2.9.0", "product_id": "CSAFPID-5700173" } }, { "category": "product_version_range", "name": "vers:unknown/v2.9.0-beta.1", "product": { "name": "vers:unknown/v2.9.0-beta.1", "product_id": "CSAFPID-5700174" } }, { "category": "product_version_range", "name": "vers:unknown/v2.9.0-beta.2", "product": { "name": "vers:unknown/v2.9.0-beta.2", "product_id": "CSAFPID-5700175" } }, { "category": "product_version_range", "name": "vers:unknown/v2.9.0-beta.3", "product": { "name": "vers:unknown/v2.9.0-beta.3", "product_id": "CSAFPID-5700176" } }, { "category": "product_version_range", "name": "vers:unknown/v2.9.1", "product": { "name": "vers:unknown/v2.9.1", "product_id": "CSAFPID-5700177" } } ], "category": "product_name", "name": "Caddy" } ], "category": "vendor", "name": "Caddyserver" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-5700549" } } ], "category": "product_name", "name": "caddy" } ], "category": "product_family", "name": "bookworm" } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/2.6.2-11", "product": { "name": "vers:unknown/2.6.2-11", "product_id": "CSAFPID-5913758", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-11?arch=source&distro=questing" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-12", "product": { "name": "vers:unknown/2.6.2-12", "product_id": "CSAFPID-5913759", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-12?arch=source&distro=questing" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-9", "product": { "name": "vers:unknown/2.6.2-9", "product_id": "CSAFPID-5913757", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-9?arch=source&distro=questing" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0", "product": { "name": "vers:unknown/>=0", "product_id": "CSAFPID-5913760" } } ], "category": "product_name", "name": "caddy" } ], "category": "product_family", "name": "Ubuntu:25.10" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/2.6.2-6", "product": { "name": "vers:unknown/2.6.2-6", "product_id": "CSAFPID-5913749", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-6?arch=source&distro=esm-apps/noble" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-6ubuntu0.24.04.1", "product": { "name": "vers:unknown/2.6.2-6ubuntu0.24.04.1", "product_id": "CSAFPID-5913750", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-6ubuntu0.24.04.1?arch=source&distro=esm-apps/noble" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-6ubuntu0.24.04.2", "product": { "name": "vers:unknown/2.6.2-6ubuntu0.24.04.2", "product_id": "CSAFPID-5913751", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-6ubuntu0.24.04.2?arch=source&distro=esm-apps/noble" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-6ubuntu0.24.04.2+esm1", "product": { "name": "vers:unknown/2.6.2-6ubuntu0.24.04.2+esm1", "product_id": "CSAFPID-5913752", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-6ubuntu0.24.04.2%2Besm1?arch=source&distro=esm-apps/noble" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-6ubuntu0.24.04.3", "product": { "name": "vers:unknown/2.6.2-6ubuntu0.24.04.3", "product_id": "CSAFPID-5913753", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-6ubuntu0.24.04.3?arch=source&distro=esm-apps/noble" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-6ubuntu0.24.04.3+esm1", "product": { "name": "vers:unknown/2.6.2-6ubuntu0.24.04.3+esm1", "product_id": "CSAFPID-5913754", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-6ubuntu0.24.04.3%2Besm1?arch=source&distro=esm-apps/noble" } } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2-6ubuntu0.24.04.3+esm2", "product": { "name": "vers:unknown/2.6.2-6ubuntu0.24.04.3+esm2", "product_id": "CSAFPID-5913755", "product_identification_helper": { "purl": "pkg:deb/ubuntu/caddy@2.6.2-6ubuntu0.24.04.3%2Besm2?arch=source&distro=esm-apps/noble" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0", "product": { "name": "vers:unknown/>=0", "product_id": "CSAFPID-5913756" } } ], "category": "product_name", "name": "caddy" } ], "category": "product_family", "name": "Ubuntu:Pro:24.04:LTS" } ], "category": "vendor", "name": "Ubuntu" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<1.11.2", "product": { "name": "vers:unknown/>=0|<1.11.2", "product_id": "CSAFPID-5600955" } } ], "category": "product_name", "name": "frankenphp" } ], "category": "vendor", "name": "php" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/2.11.1", "product": { "name": "vers:unknown/2.11.1", "product_id": "CSAFPID-5918973" } }, { "category": "product_version_range", "name": "vers:unknown/<2.11.1", "product": { "name": "vers:unknown/<2.11.1", "product_id": "CSAFPID-5918974" } } ], "category": "product_name", "name": "go/github.com/caddyserver/caddy/v2" } ], "category": "vendor", "name": "caddy" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/2.11.1", "product": { "name": "vers:unknown/2.11.1", "product_id": "CSAFPID-5918979" } }, { "category": "product_version_range", "name": "vers:unknown/<2.11.1", "product": { "name": "vers:unknown/<2.11.1", "product_id": "CSAFPID-5918980" } } ], "category": "product_name", "name": "go/github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy/fastcgi" } ], "category": "vendor", "name": "reverseproxy" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-27590", "cwe": { "id": "CWE-180", "name": "Incorrect Behavior Order: Validate Before Canonicalize" }, "notes": [ { "category": "description", "text": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-27590" }, { "category": "description", "text": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-27590" }, { "category": "description", "text": "### Summary\n\nCaddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment).\n\n### Details\n\nThe issue is in `github.com/caddyserver/caddy/modules/caddyhttp/fastcgi.Trasnport.splitPos()` (and the subsequent slicing in `buildEnv()`):\n\n```\nlowerPath := strings.ToLower(path)\nidx := strings.Index(lowerPath, strings.ToLower(split))\nreturn idx + len(split)\n```\n\nThe returned index is computed in the byte space of lowerPath, but `buildEnv()` applies it to the original path:\n\n- `docURI = path[:splitPos]`\n- `pathInfo = path[splitPos:]`\n- `scriptName = strings.TrimSuffix(path, fc.pathInfo)`\n- `scriptFilename = caddyhttp.SanitizedPathJoin(fc.documentRoot, fc.scriptName)`\n\nThis assumes `lowerPath` and `path` have identical byte lengths and identical byte offsets, which is not true for some Unicode case mappings. Certain characters expand when lowercased (UTF-8 byte length increases), shifting the computed index. This creates a mismatch where `.php` is found in the lowercased string at an offset that does not correspond to the same position in the original string, causing the split point to land later/earlier than intended.\n\n### PoC\n\nCreate a small Go program that reproduces Caddy's `splitPos()` behavior (compute the `.php` split point on a lowercased path, then use that byte index on the original path):\n\n1. Save this as `poc.go`:\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n)\n\nfunc splitPos(path string, split string) int {\n\tlowerPath := strings.ToLower(path)\n\tidx := strings.Index(lowerPath, strings.ToLower(split))\n\tif idx < 0 {\n\t\treturn -1\n\t}\n\treturn idx + len(split)\n}\n\nfunc main() {\n\t// U+023A: Ⱥ (UTF-8: C8 BA). Lowercase is ⱥ (UTF-8: E2 B1 A5), longer in bytes.\n\tpath := \"/ȺȺȺȺshell.php.txt.php\"\n\tsplit := \".php\"\n\n\tpos := splitPos(path, split)\n\n\tfmt.Printf(\"orig bytes=%d\\n\", len(path))\n\tfmt.Printf(\"lower bytes=%d\\n\", len(strings.ToLower(path)))\n\tfmt.Printf(\"splitPos=%d\\n\", pos)\n\n\tfmt.Printf(\"orig[:pos]=%q\\n\", path[:pos])\n\tfmt.Printf(\"orig[pos:]=%q\\n\", path[pos:])\n\n\t// Expected split: right after the first \".php\" in the original string\n\twant := strings.Index(path, split) + len(split)\n\tfmt.Printf(\"expected splitPos=%d\\n\", want)\n\tfmt.Printf(\"expected orig[:]=%q\\n\", path[:want])\n}\n```\n\n2. Run it:\n\n```console\ngo run poc.go\n```\n\nOutput on my side:\n\n```\norig bytes=26\nlower bytes=30\nsplitPos=22\norig[:pos]=\"/ȺȺȺȺshell.php.txt\"\norig[pos:]=\".php\"\nexpected splitPos=18\nexpected orig[:]=\"/ȺȺȺȺshell.php\"\n```\n\nExpected split is right after the first `.php` (`/ȺȺȺȺshell.php`). Instead, the computed split lands later and cuts the original path after `shell.php.txt`, leaving `.php` as the remainder.\n\n### Impact\n\nSecurity boundary bypass/path confusion in script resolution.\nIn typical deployments, `.php` extension boundaries are relied on to decide what is executed by PHP. This bug can cause Caddy/FPM to execute a different file than intended by confusing `SCRIPT_NAME`/`SCRIPT_FILENAME`. If an attacker can place attacker-controlled content into a file that can be resolved as `SCRIPT_FILENAME` (common in web apps with uploads or writable directories), this can lead to unintended PHP execution of non-.php files and potentially remote code execution. Severity depends on deployment and presence of attacker-controlled file writes, but the primitive itself is remotely triggerable via crafted URLs.\n\nThis vulnerability was initially reported to FrankenPHP (https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38) by @AbdrrahimDahmani. The affected code has been copied/adapted from Caddy, which, according to research, is also affected.\n\nThe patch is a port of the FrankenPHP patch.", "title": "github - https://github.com/advisories/GHSA-5r3v-vc8m-m96g" }, { "category": "description", "text": "### Summary\n\nFrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding `.php`) on a lowercased copy of the request path but applies that byte index to the original path.\n\nBecause `strings.ToLower()` in Go can increase the byte length of certain UTF-8 characters (e.g., `Ⱥ` expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect `SCRIPT_NAME` and `SCRIPT_FILENAME`, potentially causing FrankenPHP to execute a file other than the one intended by the URI.\n\n### **Details**\n\nThe vulnerability resides in the `splitPos()` function and its usage within `splitCgiPath()`. The logic attempts to find the script extension (e.g., `.php`) in a case-insensitive manner by lowercasing the path:\n\n```go\nlowerPath := strings.ToLower(path)\nidx := strings.Index(lowerPath, strings.ToLower(split))\nreturn idx + len(split)\n```\n\nThe issue is that the returned `idx` represents a byte offset within `lowerPath`. However, `splitCgiPath()` uses this index to slice the **original** `path`:\n\n```go\nfc.docURI = path[:splitPos]\nfc.pathInfo = path[splitPos:]\nfc.scriptName = strings.TrimSuffix(path, fc.pathInfo)\nfc.scriptFilename = sanitizedPathJoin(fc.documentRoot, fc.scriptName)\n```\n\nThis logic relies on the assumption that `len(strings.ToLower(path)) == len(path)`. This assumption is false for certain Unicode characters. For example, the character `Ⱥ` (U+023A) requires 2 bytes in UTF-8 (`0xC8 0xBA`), but its lowercase equivalent `ⱥ` (U+2C65) requires 3 bytes (`0xE2 0xB1 0xA5`).\n\nIf the path contains such characters before the `.php` extension, the index calculated on `lowerPath` will be larger than the corresponding visual point in the original `path`. When applied to the original path, the split occurs at the wrong byte offset. This can cause the server to treat a larger portion of the path as the script name, effectively allowing an attacker to manipulate `SCRIPT_FILENAME`.\n\n### **PoC**\n\nThe following Go program demonstrates the discrepancy between the byte index in the lowercased string versus the original string.\n\n1. Save the following as `poc.go`:\n\n```go\npackage main\n\nimport (\n \"fmt\"\n \"strings\"\n)\n\nfunc splitPos(path string, split string) int {\n lowerPath := strings.ToLower(path)\n idx := strings.Index(lowerPath, strings.ToLower(split))\n if idx < 0 {\n return -1\n }\n return idx + len(split)\n}\n\nfunc main() {\n // U+023A: Ⱥ (UTF-8: C8 BA). Lowercase is ⱥ (UTF-8: E2 B1 A5), longer in bytes.\n // We construct a path where the byte expansion shifts the index.\n path := \"/ȺȺȺȺshell.php.txt.php\"\n split := \".php\"\n\n pos := splitPos(path, split)\n\n fmt.Printf(\"orig bytes=%d\\n\", len(path))\n fmt.Printf(\"lower bytes=%d\\n\", len(strings.ToLower(path)))\n fmt.Printf(\"splitPos=%d\\n\", pos)\n\n // Current Unsafe Behavior:\n fmt.Printf(\"orig[:pos] (Calculated Script)=%q\\n\", path[:pos])\n fmt.Printf(\"orig[pos:] (Calculated PathInfo)=%q\\n\", path[pos:])\n\n // Expected Safe Behavior:\n want := strings.Index(path, split) + len(split)\n fmt.Printf(\"expected splitPos=%d\\n\", want)\n fmt.Printf(\"expected orig[:]=%q\\n\", path[:want])\n}\n```\n\n2. Run the PoC:\n\n```console\ngo run poc.go\n```\n\n3. **Output:**\n\n```text\norig bytes=26\nlower bytes=30\nsplitPos=22\norig[:pos]=\"/ȺȺȺȺshell.php.txt\"\norig[pos:]=\".php\"\nexpected splitPos=18\nexpected orig[:]=\"/ȺȺȺȺshell.php\"\n```\n\nIn this example, FrankenPHP would identify `/ȺȺȺȺshell.php.txt` as the PHP script to execute, ignoring the fact that the actual file extension in the file system might be `.txt`.\n\n### Impact*\n\nThis is a **Security Boundary Bypass** and **Path Confusion** vulnerability.\n\nIn setups where users can upload files (e.g., avatars, text files) that are stored within the document root or a reachable path, an attacker can upload a file containing malicious PHP code with a safe extension (e.g., `payload.txt`). By crafting a request with specific Unicode characters, the attacker can force FrankenPHP to calculate the `SCRIPT_FILENAME` as ending in `payload.txt`, while the request appears to contain `.php` to the internal router logic.\n\nThis results in the execution of non-PHP files as PHP scripts, leading to **Remote Code Execution (RCE)**.\n\n### **Patched Versions**\n\n* This issue is fixed in FrankenPHP version **1.11.2**.\n\n### **Workarounds**\n\n* Ensure that user-uploaded files are stored outside of the public document root.\n* Implement strict WAF rules to reject requests containing specific multi-byte Unicode characters in the URL path if an upgrade is not immediately possible.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-g966-83w7-6w38.json?alt=media" }, { "category": "description", "text": "### Summary\n\nCaddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment).\n\n### Details\n\nThe issue is in `github.com/caddyserver/caddy/modules/caddyhttp/fastcgi.Trasnport.splitPos()` (and the subsequent slicing in `buildEnv()`):\n\n```\nlowerPath := strings.ToLower(path)\nidx := strings.Index(lowerPath, strings.ToLower(split))\nreturn idx + len(split)\n```\n\nThe returned index is computed in the byte space of lowerPath, but `buildEnv()` applies it to the original path:\n\n- `docURI = path[:splitPos]`\n- `pathInfo = path[splitPos:]`\n- `scriptName = strings.TrimSuffix(path, fc.pathInfo)`\n- `scriptFilename = caddyhttp.SanitizedPathJoin(fc.documentRoot, fc.scriptName)`\n\nThis assumes `lowerPath` and `path` have identical byte lengths and identical byte offsets, which is not true for some Unicode case mappings. Certain characters expand when lowercased (UTF-8 byte length increases), shifting the computed index. This creates a mismatch where `.php` is found in the lowercased string at an offset that does not correspond to the same position in the original string, causing the split point to land later/earlier than intended.\n\n### PoC\n\nCreate a small Go program that reproduces Caddy's `splitPos()` behavior (compute the `.php` split point on a lowercased path, then use that byte index on the original path):\n\n1. Save this as `poc.go`:\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n)\n\nfunc splitPos(path string, split string) int {\n\tlowerPath := strings.ToLower(path)\n\tidx := strings.Index(lowerPath, strings.ToLower(split))\n\tif idx < 0 {\n\t\treturn -1\n\t}\n\treturn idx + len(split)\n}\n\nfunc main() {\n\t// U+023A: Ⱥ (UTF-8: C8 BA). Lowercase is ⱥ (UTF-8: E2 B1 A5), longer in bytes.\n\tpath := \"/ȺȺȺȺshell.php.txt.php\"\n\tsplit := \".php\"\n\n\tpos := splitPos(path, split)\n\n\tfmt.Printf(\"orig bytes=%d\\n\", len(path))\n\tfmt.Printf(\"lower bytes=%d\\n\", len(strings.ToLower(path)))\n\tfmt.Printf(\"splitPos=%d\\n\", pos)\n\n\tfmt.Printf(\"orig[:pos]=%q\\n\", path[:pos])\n\tfmt.Printf(\"orig[pos:]=%q\\n\", path[pos:])\n\n\t// Expected split: right after the first \".php\" in the original string\n\twant := strings.Index(path, split) + len(split)\n\tfmt.Printf(\"expected splitPos=%d\\n\", want)\n\tfmt.Printf(\"expected orig[:]=%q\\n\", path[:want])\n}\n```\n\n2. Run it:\n\n```console\ngo run poc.go\n```\n\nOutput on my side:\n\n```\norig bytes=26\nlower bytes=30\nsplitPos=22\norig[:pos]=\"/ȺȺȺȺshell.php.txt\"\norig[pos:]=\".php\"\nexpected splitPos=18\nexpected orig[:]=\"/ȺȺȺȺshell.php\"\n```\n\nExpected split is right after the first `.php` (`/ȺȺȺȺshell.php`). Instead, the computed split lands later and cuts the original path after `shell.php.txt`, leaving `.php` as the remainder.\n\n### Impact\n\nSecurity boundary bypass/path confusion in script resolution.\nIn typical deployments, `.php` extension boundaries are relied on to decide what is executed by PHP. This bug can cause Caddy/FPM to execute a different file than intended by confusing `SCRIPT_NAME`/`SCRIPT_FILENAME`. If an attacker can place attacker-controlled content into a file that can be resolved as `SCRIPT_FILENAME` (common in web apps with uploads or writable directories), this can lead to unintended PHP execution of non-.php files and potentially remote code execution. Severity depends on deployment and presence of attacker-controlled file writes, but the primitive itself is remotely triggerable via crafted URLs.\n\nThis vulnerability was initially reported to FrankenPHP (https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38) by @AbdrrahimDahmani. The affected code has been copied/adapted from Caddy, which, according to research, is also affected.\n\nThe patch is a port of the FrankenPHP patch.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-5r3v-vc8m-m96g.json?alt=media" }, { "category": "description", "text": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-27590.json?alt=media" }, { "category": "description", "text": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-27590" }, { "category": "description", "text": "Unicode case-folding causes incorrect split_path index in github.com/caddyserver/caddy/v2", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4536.json?alt=media" }, { "category": "description", "text": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Ubuntu%2FUBUNTU-CVE-2026-27590.json?alt=media" }, { "category": "description", "text": "Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment).", "title": "gitlab - https://gitlab.com/api/v4/projects/25847700/repository/files/go%2Fgithub.com%2Fcaddyserver%2Fcaddy%2Fv2%2FCVE-2026-27590.yml/raw" }, { "category": "description", "text": "Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment).", "title": "gitlab - https://gitlab.com/api/v4/projects/25847700/repository/files/go%2Fgithub.com%2Fcaddyserver%2Fcaddy%2Fv2%2Fmodules%2Fcaddyhttp%2Freverseproxy%2Ffastcgi%2FCVE-2026-27590.yml/raw" }, { "category": "other", "text": "0.00193", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "title": "CVSSV4" }, { "category": "other", "text": "8.9", "title": "CVSSV4 base score" }, { "category": "other", "text": "3.5", "title": "NCSC Score" }, { "category": "other", "text": "There is cvss data available from a private source", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "There is exploit data available from source Nvd, The value of the most recent CVSS (V3) score, Is related to an uncommon product vendor, Is related to (a version of) an uncommon product", "title": "NCSC Score top decreasing factors" } ], "product_status": { "fixed": [ "CSAFPID-5918973", "CSAFPID-5918979" ], "known_affected": [ "CSAFPID-5688699", "CSAFPID-5600955", "CSAFPID-5700114", "CSAFPID-4034332", "CSAFPID-4034342", "CSAFPID-4034343", "CSAFPID-4034344", "CSAFPID-4034345", "CSAFPID-4034346", "CSAFPID-4034347", "CSAFPID-4034348", "CSAFPID-4034349", "CSAFPID-4034350", "CSAFPID-4034351", "CSAFPID-4034352", "CSAFPID-4034353", "CSAFPID-4034354", "CSAFPID-4034355", "CSAFPID-4034356", "CSAFPID-4034357", "CSAFPID-4034358", "CSAFPID-4034359", "CSAFPID-4034360", "CSAFPID-4034361", "CSAFPID-4034362", "CSAFPID-4034363", "CSAFPID-4034364", "CSAFPID-4034378", "CSAFPID-4034379", "CSAFPID-4034380", "CSAFPID-4034387", "CSAFPID-4034396", "CSAFPID-4034400", "CSAFPID-4034401", "CSAFPID-4034402", "CSAFPID-4034407", "CSAFPID-4034411", "CSAFPID-4034417", "CSAFPID-4034418", "CSAFPID-4034419", "CSAFPID-4034420", "CSAFPID-4034435", "CSAFPID-4034436", "CSAFPID-4034437", "CSAFPID-4034438", "CSAFPID-4034441", "CSAFPID-4034447", "CSAFPID-4034448", "CSAFPID-4034449", "CSAFPID-4034450", "CSAFPID-4034451", "CSAFPID-4034455", "CSAFPID-4034456", "CSAFPID-4034457", "CSAFPID-4034464", "CSAFPID-4034465", "CSAFPID-4034466", "CSAFPID-4034467", "CSAFPID-4034468", "CSAFPID-4034469", "CSAFPID-4034470", "CSAFPID-4034471", "CSAFPID-4034472", "CSAFPID-4034473", "CSAFPID-4034474", "CSAFPID-4034475", "CSAFPID-4034476", "CSAFPID-4034477", "CSAFPID-4034478", "CSAFPID-4034479", "CSAFPID-4034480", "CSAFPID-4034481", "CSAFPID-4034482", "CSAFPID-5700154", "CSAFPID-5700155", "CSAFPID-5700156", "CSAFPID-5700157", "CSAFPID-5700158", "CSAFPID-5700159", "CSAFPID-5700160", "CSAFPID-5700161", "CSAFPID-5700162", "CSAFPID-5700163", "CSAFPID-5700164", "CSAFPID-5700165", "CSAFPID-5700166", "CSAFPID-5700167", "CSAFPID-5700168", "CSAFPID-5700169", "CSAFPID-5700170", "CSAFPID-5700171", "CSAFPID-5700172", "CSAFPID-5700173", "CSAFPID-5700174", "CSAFPID-5700175", "CSAFPID-5700176", "CSAFPID-5700177", "CSAFPID-5700549", "CSAFPID-5913749", "CSAFPID-5913750", "CSAFPID-5913751", "CSAFPID-5913752", "CSAFPID-5913753", "CSAFPID-5913754", "CSAFPID-5913755", "CSAFPID-5913756", "CSAFPID-5913757", "CSAFPID-5913758", "CSAFPID-5913759", "CSAFPID-5913760", "CSAFPID-5918974", "CSAFPID-5918980" ] }, "references": [ { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-27590" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27590.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27590" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-27590" }, { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-5r3v-vc8m-m96g" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-5r3v-vc8m-m96g" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-g966-83w7-6w38.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-5r3v-vc8m-m96g.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-27590.json?alt=media" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-27590" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27590" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4536.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Ubuntu%2FUBUNTU-CVE-2026-27590.json?alt=media" }, { "category": "external", "summary": "Source - gitlab", "url": "https://gitlab.com/api/v4/projects/25847700/repository/files/go%2Fgithub.com%2Fcaddyserver%2Fcaddy%2Fv2%2FCVE-2026-27590.yml/raw" }, { "category": "external", "summary": "Source - gitlab", "url": "https://gitlab.com/api/v4/projects/25847700/repository/files/go%2Fgithub.com%2Fcaddyserver%2Fcaddy%2Fv2%2Fmodules%2Fcaddyhttp%2Freverseproxy%2Ffastcgi%2FCVE-2026-27590.yml/raw" }, { "category": "external", "summary": "Reference - cveprojectv5; github; gitlab; nvd; osv", "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g" }, { "category": "external", "summary": "Reference - cveprojectv5; github; gitlab; nvd; osv", "url": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38" }, { "category": "external", "summary": "Reference - cveprojectv5; github; gitlab; nvd; osv", "url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1" }, { "category": "external", "summary": "Reference - github; gitlab; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27590" }, { "category": "external", "summary": "Reference - github; gitlab", "url": "https://github.com/advisories/GHSA-5r3v-vc8m-m96g" }, { "category": "external", "summary": "Reference - osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24895" }, { "category": "external", "summary": "Reference - osv", "url": "https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e" }, { "category": "external", "summary": "Reference - osv", "url": "https://github.com/php/frankenphp/releases/tag/v1.11.2" }, { "category": "external", "summary": "Reference - osv", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27590.json" }, { "category": "external", "summary": "Reference - github; gitlab; osv", "url": "https://pkg.go.dev/vuln/GO-2026-4536" }, { "category": "external", "summary": "Reference - osv", "url": "https://ubuntu.com/security/CVE-2026-27590" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.cve.org/CVERecord?id=CVE-2026-27590" }, { "category": "external", "summary": "Reference - gitlab", "url": "https://github.com/caddyserver/caddy" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL" }, "products": [ "CSAFPID-4034332", "CSAFPID-4034342", "CSAFPID-4034343", "CSAFPID-4034344", "CSAFPID-4034345", "CSAFPID-4034346", "CSAFPID-4034347", "CSAFPID-4034348", "CSAFPID-4034349", "CSAFPID-4034350", "CSAFPID-4034351", "CSAFPID-4034352", "CSAFPID-4034353", "CSAFPID-4034354", "CSAFPID-4034355", "CSAFPID-4034356", "CSAFPID-4034357", "CSAFPID-4034358", "CSAFPID-4034359", "CSAFPID-4034360", "CSAFPID-4034361", "CSAFPID-4034362", "CSAFPID-4034363", "CSAFPID-4034364", "CSAFPID-4034378", "CSAFPID-4034379", "CSAFPID-4034380", "CSAFPID-4034387", "CSAFPID-4034396", "CSAFPID-4034400", "CSAFPID-4034401", "CSAFPID-4034402", "CSAFPID-4034407", "CSAFPID-4034411", "CSAFPID-4034417", "CSAFPID-4034418", "CSAFPID-4034419", "CSAFPID-4034420", "CSAFPID-4034435", "CSAFPID-4034436", "CSAFPID-4034437", "CSAFPID-4034438", "CSAFPID-4034441", "CSAFPID-4034447", "CSAFPID-4034448", "CSAFPID-4034449", "CSAFPID-4034450", "CSAFPID-4034451", "CSAFPID-4034455", "CSAFPID-4034456", "CSAFPID-4034457", "CSAFPID-4034464", "CSAFPID-4034465", "CSAFPID-4034466", "CSAFPID-4034467", "CSAFPID-4034468", "CSAFPID-4034469", "CSAFPID-4034470", "CSAFPID-4034471", "CSAFPID-4034472", "CSAFPID-4034473", "CSAFPID-4034474", "CSAFPID-4034475", "CSAFPID-4034476", "CSAFPID-4034477", "CSAFPID-4034478", "CSAFPID-4034479", "CSAFPID-4034480", "CSAFPID-4034481", "CSAFPID-4034482", "CSAFPID-5600955", "CSAFPID-5688699", "CSAFPID-5700114", "CSAFPID-5700154", "CSAFPID-5700155", "CSAFPID-5700156", "CSAFPID-5700157", "CSAFPID-5700158", "CSAFPID-5700159", "CSAFPID-5700160", "CSAFPID-5700161", "CSAFPID-5700162", "CSAFPID-5700163", "CSAFPID-5700164", "CSAFPID-5700165", "CSAFPID-5700166", "CSAFPID-5700167", "CSAFPID-5700168", "CSAFPID-5700169", "CSAFPID-5700170", "CSAFPID-5700171", "CSAFPID-5700172", "CSAFPID-5700173", "CSAFPID-5700174", "CSAFPID-5700175", "CSAFPID-5700176", "CSAFPID-5700177", "CSAFPID-5700549", "CSAFPID-5913749", "CSAFPID-5913750", "CSAFPID-5913751", "CSAFPID-5913752", "CSAFPID-5913753", "CSAFPID-5913754", "CSAFPID-5913755", "CSAFPID-5913756", "CSAFPID-5913757", "CSAFPID-5913758", "CSAFPID-5913759", "CSAFPID-5913760", "CSAFPID-5918974", "CSAFPID-5918980" ] } ], "title": "CVE-2026-27590" } ] }