CVE Catalog

CVE-2026-45135

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

32th percentile — higher than 32% of all known CVEs

Summary

Caddy versions 2.7.0 through 2.11.3 contain a vulnerability in the FastCGI mechanism that allows an attacker to misidentify a non-PHP file as a script. The issue stems from improper use of case-insensitive search functions when handling paths containing non-ASCII bytes. In environments where an attacker can place content into a file served via FastCGI (uploads, file storage, etc.), this can lead to remote code execution.

Risk Assessment

The risk for the organization includes the possibility of remote code execution on the server, which could result in application compromise, data leakage, or further attacks on the infrastructure.

Recommendation

Immediately update Caddy to version 2.11.3 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treating a non-.php (or other configured split_path extension) file as a script. In any deployment where the attacker can place content into a file served via FastCGI (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This vulnerability is fixed in 2.11.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS