CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-30851

Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 2.9%

CVSS Severity

CVSS v3 Score 8.1

References

https://github.com/caddyserver/caddy/issues/6610
https://github.com/caddyserver/caddy/pull/6608
https://github.com/caddyserver/caddy/pull/7545
https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-30851

Products

Pricing

Contact Us