Published: June 13, 2026 | Last Modified: June 13, 2026
Caddy project reports: Caddy 2.11.4 contains multiple security fixes. GitHub Security Advisory GHSA-qrp7-cvwr-j2c6 reports: Windows-encoded backslashes in request paths could bypass path-scoped authorization rules before files are served by file_server. GitHub Security Advisory GHSA-f59h-q822-g45g reports: forward_auth copy_headers could fail to remove underscore aliases of copied identity headers before FastCGI header normalization, allowing identity or group header spoofing. GitHub Security Advisory GHSA-vcc4-2c75-vc9v reports: The stripHTML template function could fail to remove malformed HTML, potentially allowing client-side cross-site scripting if untrusted output is later rendered as HTML.
Exploitation Probability (EPSS): Low — 0.03% (9th percentile)
Low exploitation probability based on current threat landscape data. Standard patching timeline is appropriate.
This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.