CVE-2026-27590 | caddyserver caddy up to 2.11.0 Request Path strings.ToLower SCRIPT_NAME/SCRIPT_FILENAME/PATH_INFO input validation

A vulnerability marked as very critical has been reported in caddyserver caddy up to 2.11.0. The affected element is the function strings.ToLower of the component Request Path Handler. This manipulation of the argument SCRIPT_NAME/SCRIPT_FILENAME/PATH_INFO causes improper input validation.

This vulnerability is tracked as CVE-2026-27590. The attack is possible to be carried out remotely. No exploit exists.

It is suggested to upgrade the affected component.VulDB Recent EntriesRead More