{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27590", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T17:40:28.450Z", "datePublished": "2026-02-24T16:33:41.353Z", "dateUpdated": "2026-02-27T20:52:00.327Z"}, "containers": {"cna": {"title": "Caddy: Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-180", "lang": "en", "description": "CWE-180: Incorrect Behavior Order: Validate Before Canonicalize", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.9, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g"}, {"name": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38", "tags": ["x_refsource_MISC"], "url": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38"}, {"name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"}], "affected": [{"vendor": "caddyserver", "product": "caddy", "versions": [{"version": "< 2.11.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T16:33:41.353Z"}, "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue."}], "source": {"advisory": "GHSA-5r3v-vc8m-m96g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T20:51:50.628047Z", "id": "CVE-2026-27590", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:52:00.327Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27590", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-27T20:51:50.628047Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:51:56.951Z"}}], "cna": {"title": "Caddy: Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport", "source": {"advisory": "GHSA-5r3v-vc8m-m96g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "caddyserver", "product": "caddy", "versions": [{"status": "affected", "version": "< 2.11.1"}]}], "references": [{"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g", "name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38", "name": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1", "name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-180", "description": "CWE-180: Incorrect Behavior Order: Validate Before Canonicalize"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T16:33:41.353Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27590", "state": "PUBLISHED", "dateUpdated": "2026-02-27T20:52:00.327Z", "dateReserved": "2026-02-20T17:40:28.450Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-24T16:33:41.353Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*", "matchCriteriaId": "9AD1B432-AFA3-4A05-A687-F6092CDB6498", "versionEndExcluding": "2.11.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue."}], "id": "CVE-2026-27590", "lastModified": "2026-02-25T17:07:09.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T17:29:04.493", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-180"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "caddy", "source": "cna", "vendor": "caddyserver"}, "product": "caddy", "vendor": "caddyserver"}], "analysis": {"en": {"generated_at": "2026-04-16T16:22:38.240350+00:00", "value": {"mitigation_remediation": ["Upgrade Caddy to version 2.11.1 or a later release that contains the FastCGI path splitting fix.", "If an upgrade is not immediately possible, limit the usage of FastCGI for paths that can be influenced by unauthenticated users or disable file upload features that allow arbitrary file content.", "Verify that the FastCGI configuration only proxies safe, statically defined PHP scripts and blocks execution of arbitrary non\u2011.php files."], "summary": {"action": "Patch", "impact": "Potential remote code execution through path confusion"}, "threat_synthesis": {"affected_systems": "The flaw exists in the open\u2011source Caddy HTTP/HTTPS server from caddyserver. All versions of Caddy server released before 2.11.1 are affected. The issue only manifests when the FastCGI transport is used, such as when Caddy proxies requests to a PHP interpreter and the server or an upload facility allows an attacker to control the requested path.", "description_and_impact": "Caddy's FastCGI path splitting logic incorrectly uses the index from a lowercased copy of the request path to slice the original path. Because Unicode casefolding can change UTF\u20118 byte length, the derived SCRIPT_NAME/PATH_INFO values can be wrong, leading the server to execute an unintended on\u2011disk file. In setups where attackers can supply file contents, this flaw may allow PHP code execution of non\u2011.php files, potentially giving remote code execution capabilities where PHP is configured.", "risk_and_exploitability": "The CVSS score of 8.9 categorizes this vulnerability as high severity, but the EPSS score of less than 1% indicates that exploitation attempts are currently rare. The flaw is not listed in the CISA KEV catalog. Attackers would need to send a crafted HTTP request containing a Unicode path that, when lowercased, changes byte length, and rely on the FastCGI configuration to execute the wrong script. The presence of file upload or dynamic paths increases the likelihood of successful exploitation; otherwise, the risk remains limited to environments that use FastCGI for PHP."}}}}, "created": "2026-02-25T11:38:38.827476+00:00", "updated": "2026-04-16T16:30:15.936588+00:00", "vendors": ["caddyserver", "caddyserver$PRODUCT$caddy"]}