CVE-2026-52845 is a high-severity vulnerability in Caddy, an extensible server platform that uses TLS by default. Prior to version 2.11.4, Caddy's forward_auth feature has a flaw where it deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. However, when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by repl [truncated]
CVE-2026-52844 is a high-severity vulnerability in Caddy, a popular extensible server platform that uses TLS by default. The issue arises from how Caddy's path matchers handle requests on Windows. Specifically, prior to version 2.11.4, Caddy's path matchers treat /private/secret.txt as outside the /private/* scope, but the file_server later resolves the same request path as private/secret.txt on disk. Thi [truncated]
