Cross-Site Scripting Risk in Caddy Server by Caddy Technologies
CVE-2026-52846

4.2MEDIUM

Key Information:

Vendor: Caddyserver
Status: Caddy
Vendor: CVE Published:; 23 June 2026

🔔 Create Caddyserver Vulnerability Alert

What is CVE-2026-52846?

Caddy Server, an extensible server platform that employs TLS by default, has a vulnerability in its stripHTML template function, which fails to reliably strip all HTML tags from user input. This issue is particularly notable with certain malformed HTML inputs, such as , that can successfully bypass the tag-stripping process. As a result, malicious content may remain in the output, potentially leading to client-side XSS attacks if untrusted strings are rendered without proper sanitization. Users are advised to update to version 2.11.4 or later to mitigate this risk.

Affected Version(s)

caddy < 2.11.4

References

https://github.com/caddyserver/caddy/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 8, 2026

CVE-2026-52846 Data

JSON