ID

VAR-202606-5937


CVE

CVE-2026-45135


TITLE

Light Code Labs of Caddy Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2026-021347

DESCRIPTION

Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treating a non-.php (or other configured split_path extension) file as a script. In any deployment where the attacker can place content into a file served via FastCGI (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This vulnerability is fixed in 2.11.3. ASCII If it contains bytes golang.org/x/text/search of search.IgnoreCase I was misusing it. URL Creating this could lead to remote code execution. This vulnerability is in version 2.11.3 has been fixed.- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software may completely shut down

Trust: 1.62

sources: NVD: CVE-2026-45135 // JVNDB: JVNDB-2026-021347

AFFECTED PRODUCTS

vendor:caddyservermodel:caddyscope:gteversion:2.7.0

Trust: 1.0

vendor:caddyservermodel:caddyscope:ltversion:2.11.3

Trust: 1.0

vendor:light codemodel:caddyscope: - version: -

Trust: 0.8

vendor:light codemodel:caddyscope:eqversion: -

Trust: 0.8

vendor:light codemodel:caddyscope:eqversion:2.7.0 that's all 2.11.3

Trust: 0.8

sources: JVNDB: JVNDB-2026-021347 // NVD: CVE-2026-45135

CVSS

SEVERITY

CVSSV2

CVSSV3

security-advisories@github.com: CVE-2026-45135
value: HIGH

Trust: 1.0

OTHER: JVNDB-2026-021347
value: HIGH

Trust: 0.8

security-advisories@github.com: CVE-2026-45135
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.1

Trust: 1.0

OTHER: JVNDB-2026-021347
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2026-021347 // NVD: CVE-2026-45135

PROBLEMTYPE DATA

problemtype:CWE-178

Trust: 1.0

problemtype:CWE-20

Trust: 1.0

problemtype:CWE-176

Trust: 1.0

problemtype:Unicode Improper handling of encoding (CWE-176) [ others ]

Trust: 0.8

problemtype: Improper case sensitivity (CWE-178) [ others ]

Trust: 0.8

problemtype: Inappropriate input confirmation (CWE-20) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2026-021347 // NVD: CVE-2026-45135

PATCH

title:Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files  Advisory  caddyserver/caddy  GitHuburl:https://github.com/caddyserver/caddy/security/advisories/GHSA-m675-2p33-xv9g

Trust: 0.8

sources: JVNDB: JVNDB-2026-021347

EXTERNAL IDS

db:NVDid:CVE-2026-45135

Trust: 2.6

db:JVNDBid:JVNDB-2026-021347

Trust: 0.8

sources: JVNDB: JVNDB-2026-021347 // NVD: CVE-2026-45135

REFERENCES

url:https://github.com/caddyserver/caddy/security/advisories/ghsa-m675-2p33-xv9g

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2026-45135

Trust: 0.8

sources: JVNDB: JVNDB-2026-021347 // NVD: CVE-2026-45135

SOURCES

db:JVNDBid:JVNDB-2026-021347
db:NVDid:CVE-2026-45135

LAST UPDATE DATE

2026-06-30T23:47:13.847000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2026-021347date:2026-06-29T02:17:00
db:NVDid:CVE-2026-45135date:2026-06-26T18:04:10.390

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2026-021347date:2026-06-29T00:00:00
db:NVDid:CVE-2026-45135date:2026-06-23T18:17:52.343