Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Caddy Web Server Improper Handling of Case Sensitivity Vulnerability (CVE-2026-27588)

Description

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.

Remediation

References

Related Vulnerabilities

WordPress Plugin mySTAT 'mystat.php' SQL Injection (2.6)

Liferay DXP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2025-43804)

Oracle JRE Insecure Storage of Sensitive Information Vulnerability (CVE-2024-21211)

Liferay Portal URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2022-28977)

WordPress Plugin Advanced Custom Fields PRO Cross-Site Scripting (5.9.0)

Severity

Critical

Classification

CVE-2026-27588 CWE-178 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Missing Update Known Vulnerabilities