Details of VAR-202602-2991

ID

VAR-202602-2991

CVE

CVE-2026-27587

TITLE

Light Code Labs of Caddy Vulnerability in improper handling of uppercase and lowercase letters in

Trust: 0.8

sources: JVNDB: JVNDB-2026-005159

DESCRIPTION

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue. 2.11.1 contains a fix for this issue.All information handled by the software may be leaked to the outside. All information handled by the software may be rewritten. Furthermore, the software will not stop. Furthermore, attacks that exploit this vulnerability will not affect other software

Trust: 1.62

sources: NVD: CVE-2026-27587 // JVNDB: JVNDB-2026-005159

AFFECTED PRODUCTS

vendor:	caddyserver	model:	caddy	scope:	lt	version:	2.11.1	Trust: 1.0
vendor:	caddyserver	model:	caddy	scope:	gte	version:	2.10.2	Trust: 1.0
vendor:	light code	model:	caddy	scope:	eq	version:	2.10.2 that's all 2.11.1	Trust: 0.8
vendor:	light code	model:	caddy	scope:	-	version:	-	Trust: 0.8
vendor:	light code	model:	caddy	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-005159 // NVD: CVE-2026-27587

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2026-27587
value:	CRITICAL
Trust: 1.0
security-advisories@github.com:	CVE-2026-27587
value:	HIGH
Trust: 1.0
NVD:	CVE-2026-27587
value:	CRITICAL
Trust: 0.8

nvd@nist.gov:	CVE-2026-27587
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2026-27587
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-005159 // NVD: CVE-2026-27587 // NVD: CVE-2026-27587

PROBLEMTYPE DATA

problemtype:	CWE-178	Trust: 1.0
problemtype:	Improper case sensitivity (CWE-178) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-005159 // NVD: CVE-2026-27587

PATCH

title:

Caddy

url:

https://github.com/caddyserver/caddy/security/advisories/GHSA-g7pc-pc7g-h8jh

Trust: 0.8

sources: JVNDB: JVNDB-2026-005159

EXTERNAL IDS

db:	NVD	id:	CVE-2026-27587	Trust: 2.6
db:	JVNDB	id:	JVNDB-2026-005159	Trust: 0.8

sources: JVNDB: JVNDB-2026-005159 // NVD: CVE-2026-27587

REFERENCES

url:	https://github.com/caddyserver/caddy/releases/tag/v2.11.1	Trust: 1.8
url:	https://github.com/caddyserver/caddy/security/advisories/ghsa-g7pc-pc7g-h8jh	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2026-27587	Trust: 0.8

sources: JVNDB: JVNDB-2026-005159 // NVD: CVE-2026-27587

SOURCES

db:	JVNDB	id:	JVNDB-2026-005159
db:	NVD	id:	CVE-2026-27587

LAST UPDATE DATE

2026-02-28T23:48:38.776000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-005159	date:	2026-02-27T03:42:00
db:	NVD	id:	CVE-2026-27587	date:	2026-02-25T17:11:25.233

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-005159	date:	2026-02-27T00:00:00
db:	NVD	id:	CVE-2026-27587	date:	2026-02-24T17:29:03.953