ID

VAR-202606-5967


CVE

CVE-2026-52846


TITLE

Light Code Labs of Caddy Encoding and escaping vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2026-021538

DESCRIPTION

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely. This vulnerability is fixed in 2.11.4. XSS This vulnerability is present in version 2.11.4 has been fixed.- Some of the information handled by the software may be leaked to external parties. - Some of the information handled by the software may be overwritten. - The software will not stop

Trust: 1.62

sources: NVD: CVE-2026-52846 // JVNDB: JVNDB-2026-021538

AFFECTED PRODUCTS

vendor:caddyservermodel:caddyscope:ltversion:2.11.4

Trust: 1.0

vendor:light codemodel:caddyscope:eqversion: -

Trust: 0.8

vendor:light codemodel:caddyscope: - version: -

Trust: 0.8

vendor:light codemodel:caddyscope:eqversion:2.11.4

Trust: 0.8

sources: JVNDB: JVNDB-2026-021538 // NVD: CVE-2026-52846

CVSS

SEVERITY

CVSSV2

CVSSV3

security-advisories@github.com: CVE-2026-52846
value: MEDIUM

Trust: 1.0

OTHER: JVNDB-2026-021538
value: MEDIUM

Trust: 0.8

security-advisories@github.com: CVE-2026-52846
baseSeverity: MEDIUM
baseScore: 4.2
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.6
impactScore: 2.5
version: 3.1

Trust: 1.0

OTHER: JVNDB-2026-021538
baseSeverity: MEDIUM
baseScore: 4.2
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2026-021538 // NVD: CVE-2026-52846

PROBLEMTYPE DATA

problemtype:CWE-116

Trust: 1.0

problemtype:Improper encoding or output escaping (CWE-116) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2026-021538 // NVD: CVE-2026-52846

PATCH

title:stripHTML template function bypass in github.com/caddyserver/caddy  Advisory  caddyserver/caddy  GitHuburl:https://github.com/caddyserver/caddy/security/advisories/GHSA-vcc4-2c75-vc9v

Trust: 0.8

sources: JVNDB: JVNDB-2026-021538

EXTERNAL IDS

db:NVDid:CVE-2026-52846

Trust: 2.6

db:JVNDBid:JVNDB-2026-021538

Trust: 0.8

sources: JVNDB: JVNDB-2026-021538 // NVD: CVE-2026-52846

REFERENCES

url:https://github.com/caddyserver/caddy/security/advisories/ghsa-vcc4-2c75-vc9v

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2026-52846

Trust: 0.8

sources: JVNDB: JVNDB-2026-021538 // NVD: CVE-2026-52846

SOURCES

db:JVNDBid:JVNDB-2026-021538
db:NVDid:CVE-2026-52846

LAST UPDATE DATE

2026-06-30T23:47:14.386000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2026-021538date:2026-06-30T02:19:00
db:NVDid:CVE-2026-52846date:2026-06-29T19:08:52.543

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2026-021538date:2026-06-30T00:00:00
db:NVDid:CVE-2026-52846date:2026-06-23T18:18:05.400