{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62146?format=json","vulnerability_id":"VCID-bazt-3c3y-aug6","summary":"Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.","aliases":[{"alias":"CVE-2026-27587"},{"alias":"GHSA-g7pc-pc7g-h8jh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/354935?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=aarch64&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=aarch64&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/354936?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=armhf&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=armhf&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/354937?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=armv7&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=armv7&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/354938?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=loongarch64&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=loongarch64&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/354939?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=ppc64le&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=ppc64le&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/354940?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=riscv64&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=riscv64&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/354941?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=s390x&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=s390x&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/354942?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=x86&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=x86&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/354943?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=x86_64&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=x86_64&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/406480?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=aarch64&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=aarch64&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/406481?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=armhf&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=armhf&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/406482?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=armv7&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=armv7&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/406483?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=loongarch64&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=loongarch64&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/406484?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=ppc64le&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=ppc64le&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/406485?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=riscv64&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=riscv64&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/406486?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=s390x&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=s390x&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/406487?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=x86&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=x86&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/406488?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=x86_64&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=x86_64&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/196495?format=json","purl":"pkg:deb/debian/caddy@2.11.2-1~bpo13%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/caddy@2.11.2-1~bpo13%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/89729?format=json","purl":"pkg:deb/debian/caddy@2.11.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/caddy@2.11.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/111878?format=json","purl":"pkg:golang/github.com/caddyserver/caddy/v2@2.11.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/caddyserver/caddy/v2@2.11.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/89727?format=json","purl":"pkg:deb/debian/caddy@2.6.2-5?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4q13-7vrs-vka3"},{"vulnerability":"VCID-76wk-wscv-3ua5"},{"vulnerability":"VCID-b2bf-uhhd-nuex"},{"vulnerability":"VCID-bazt-3c3y-aug6"},{"vulnerability":"VCID-n2qt-vgx7-tfec"},{"vulnerability":"VCID-y7v2-rxtu-kyf7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/caddy@2.6.2-5%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/196493?format=json","purl":"pkg:deb/debian/caddy@2.6.2-5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4q13-7vrs-vka3"},{"vulnerability":"VCID-76wk-wscv-3ua5"},{"vulnerability":"VCID-b2bf-uhhd-nuex"},{"vulnerability":"VCID-bazt-3c3y-aug6"},{"vulnerability":"VCID-n2qt-vgx7-tfec"},{"vulnerability":"VCID-y7v2-rxtu-kyf7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/caddy@2.6.2-5"},{"url":"http://public2.vulnerablecode.io/api/packages/196494?format=json","purl":"pkg:deb/debian/caddy@2.6.2-12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4q13-7vrs-vka3"},{"vulnerability":"VCID-76wk-wscv-3ua5"},{"vulnerability":"VCID-b2bf-uhhd-nuex"},{"vulnerability":"VCID-bazt-3c3y-aug6"},{"vulnerability":"VCID-n2qt-vgx7-tfec"},{"vulnerability":"VCID-y7v2-rxtu-kyf7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/caddy@2.6.2-12"},{"url":"http://public2.vulnerablecode.io/api/packages/89730?format=json","purl":"pkg:deb/debian/caddy@2.6.2-12?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4q13-7vrs-vka3"},{"vulnerability":"VCID-76wk-wscv-3ua5"},{"vulnerability":"VCID-b2bf-uhhd-nuex"},{"vulnerability":"VCID-bazt-3c3y-aug6"},{"vulnerability":"VCID-n2qt-vgx7-tfec"},{"vulnerability":"VCID-y7v2-rxtu-kyf7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/caddy@2.6.2-12%3Fdistro=trixie"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27587","reference_id":"","reference_type":"","scores":[{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19677","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.1959","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19562","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19631","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19674","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27587"},{"reference_url":"https://github.com/caddyserver/caddy","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/caddyserver/caddy"},{"reference_url":"https://github.com/caddyserver/caddy/commit/a1081194bfae4e0d8c227ec44aecb95eded55d1e","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/caddyserver/caddy/commit/a1081194bfae4e0d8c227ec44aecb95eded55d1e"},{"reference_url":"https://github.com/caddyserver/caddy/releases/tag/v2.11.1","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:47:59Z/"}],"url":"https://github.com/caddyserver/caddy/releases/tag/v2.11.1"},{"reference_url":"https://github.com/caddyserver/caddy/security/advisories/GHSA-g7pc-pc7g-h8jh","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:47:59Z/"}],"url":"https://github.com/caddyserver/caddy/security/advisories/GHSA-g7pc-pc7g-h8jh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27587","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27587"},{"reference_url":"https://pkg.go.dev/vuln/GO-2026-4538","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pkg.go.dev/vuln/GO-2026-4538"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132041","reference_id":"1132041","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132041"}],"weaknesses":[{"cwe_id":178,"name":"Improper Handling of Case Sensitivity","description":"The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results."}],"exploits":[],"severity_range_score":"7.0 - 8.9","exploitability":"0.5","weighted_severity":"8.0","risk_score":4.0,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bazt-3c3y-aug6"}