{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80151?format=json","vulnerability_id":"VCID-txa2-cctx-afh7","summary":"Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.","aliases":[{"alias":"CVE-2026-27588"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/151894?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=aarch64&distroversion=v3.24&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=aarch64&distroversion=v3.24&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/151895?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=armhf&distroversion=v3.24&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=armhf&distroversion=v3.24&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/151896?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=armv7&distroversion=v3.24&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=armv7&distroversion=v3.24&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/151897?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=loongarch64&distroversion=v3.24&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=loongarch64&distroversion=v3.24&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/151898?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=ppc64le&distroversion=v3.24&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=ppc64le&distroversion=v3.24&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/151899?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=riscv64&distroversion=v3.24&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=riscv64&distroversion=v3.24&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/151900?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=s390x&distroversion=v3.24&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=s390x&distroversion=v3.24&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/151902?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=x86_64&distroversion=v3.24&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=x86_64&distroversion=v3.24&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/151901?format=json","purl":"pkg:apk/alpine/caddy@2.11.1-r0?arch=x86&distroversion=v3.24&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.1-r0%3Farch=x86&distroversion=v3.24&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/223916?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=aarch64&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=aarch64&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/223917?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=armhf&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=armhf&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/223918?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=armv7&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=armv7&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/223919?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=loongarch64&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=loongarch64&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/223920?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=ppc64le&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=ppc64le&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/223921?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=riscv64&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=riscv64&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/223922?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=s390x&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=s390x&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/223924?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=x86_64&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=x86_64&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/223923?format=json","purl":"pkg:apk/alpine/caddy@2.11.2-r0?arch=x86&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/caddy@2.11.2-r0%3Farch=x86&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/26689?format=json","purl":"pkg:deb/debian/caddy@2.11.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/caddy@2.11.2-1%3Fdistro=trixie"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26690?format=json","purl":"pkg:deb/debian/caddy@2.6.2-12?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-332h-y4w8-hya5"},{"vulnerability":"VCID-drjn-p4fg-e3dn"},{"vulnerability":"VCID-e8dq-xrgs-q7ha"},{"vulnerability":"VCID-ntx3-jz7v-y7g1"},{"vulnerability":"VCID-nx5q-kgkt-xqbp"},{"vulnerability":"VCID-txa2-cctx-afh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/caddy@2.6.2-12%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/26687?format=json","purl":"pkg:deb/debian/caddy@2.6.2-5?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-332h-y4w8-hya5"},{"vulnerability":"VCID-drjn-p4fg-e3dn"},{"vulnerability":"VCID-e8dq-xrgs-q7ha"},{"vulnerability":"VCID-ntx3-jz7v-y7g1"},{"vulnerability":"VCID-nx5q-kgkt-xqbp"},{"vulnerability":"VCID-txa2-cctx-afh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/caddy@2.6.2-5%3Fdistro=trixie"}],"references":[{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132041","reference_id":"1132041","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132041"},{"reference_url":"https://github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8","reference_id":"GHSA-x76f-jf84-rqj8","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:47:27Z/"}],"url":"https://github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8"},{"reference_url":"https://github.com/caddyserver/caddy/releases/tag/v2.11.1","reference_id":"v2.11.1","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:47:27Z/"}],"url":"https://github.com/caddyserver/caddy/releases/tag/v2.11.1"}],"weaknesses":[{"cwe_id":178,"name":"Improper Handling of Case Sensitivity","description":"The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results."}],"exploits":[],"severity_range_score":"7.7 - 7.7","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-txa2-cctx-afh7"}