CVE-2026-52846 (GCVE-0-2026-52846)
Vulnerability from cvelistv5 – Published: 2026-06-23 17:47 – Updated: 2026-06-25 12:42
VLAI
Title
Caddy: stripHTML template function bypass
Summary
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely. This vulnerability is fixed in 2.11.4.
Severity
4.2 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/caddyserver/caddy/security/adv… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| caddyserver | caddy |
Affected:
< 2.11.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-52846",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:42:12.083385Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:42:16.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-vcc4-2c75-vc9v"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "caddy",
"vendor": "caddyserver",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy\u2019s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as \u003c\u003c\u003eimg src=x onerror=alert()\u003e, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely. This vulnerability is fixed in 2.11.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T17:47:30.387Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-vcc4-2c75-vc9v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-vcc4-2c75-vc9v"
}
],
"source": {
"advisory": "GHSA-vcc4-2c75-vc9v",
"discovery": "UNKNOWN"
},
"title": "Caddy: stripHTML template function bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52846",
"datePublished": "2026-06-23T17:47:30.387Z",
"dateReserved": "2026-06-08T18:41:27.724Z",
"dateUpdated": "2026-06-25T12:42:16.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-52846",
"date": "2026-06-25",
"epss": "0.00149",
"percentile": "0.04414"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-52846\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-25T12:42:12.083385Z\"}}}], \"references\": [{\"url\": \"https://github.com/caddyserver/caddy/security/advisories/GHSA-vcc4-2c75-vc9v\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-25T12:42:00.959Z\"}}], \"cna\": {\"title\": \"Caddy: stripHTML template function bypass\", \"source\": {\"advisory\": \"GHSA-vcc4-2c75-vc9v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"caddyserver\", \"product\": \"caddy\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.11.4\"}]}], \"references\": [{\"url\": \"https://github.com/caddyserver/caddy/security/advisories/GHSA-vcc4-2c75-vc9v\", \"name\": \"https://github.com/caddyserver/caddy/security/advisories/GHSA-vcc4-2c75-vc9v\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy\\u2019s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as \u003c\u003c\u003eimg src=x onerror=alert()\u003e, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely. This vulnerability is fixed in 2.11.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-116\", \"description\": \"CWE-116: Improper Encoding or Escaping of Output\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-23T17:47:30.387Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-52846\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-25T12:42:16.519Z\", \"dateReserved\": \"2026-06-08T18:41:27.724Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-23T17:47:30.387Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-VCC4-2C75-VC9V
Vulnerability from github – Published: 2026-06-16 21:28 – Updated: 2026-06-16 21:28
VLAI
Summary
Caddy: stripHTML template function bypass
Details
Summary
Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely.
Details
The vulnerability originates from funcStripHTML in:
caddy/caddy/caddyhttp/templates/tplcontext.go
func (TemplateContext) funcStripHTML(s string) string {
var buf bytes.Buffer
var inTag, inQuotes bool
var tagStart int
for i, ch := range s {
if inTag {
if ch == '>' && !inQuotes {
inTag = false
} else if ch == '<' && !inQuotes {
// false start
buf.WriteString(s[tagStart:i])
tagStart = i
} else if ch == '"' {
inQuotes = !inQuotes
}
continue
}
if ch == '<' {
inTag = true
tagStart = i
continue
}
buf.WriteRune(ch)
}
if inTag {
// false start
buf.WriteString(s[tagStart:])
}
return buf.String()
}
POC
Caddyfile setup
:8080 {
root * ./site
file_server
templates
}
Template file (index.html)
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>StripHTML Bypass Test</title>
</head>
<body>
<p>{{ stripHTML "<<>img src=x onerror=alert('XSS')>" }}</p>
</body>
</html>
The payload exploits the false start branch to smuggle a literal < back into the output, then uses the following > to terminate the parser’s tag state, leaving a valid tag behind.
Tested in v2.11.3
Impact
Malformed HTML can bypass stripHTML, potentially allowing arbitrary HTML or JavaScript to be rendered if the output is used unsafely, leading to client-side XSS.
AI Disclosure
AI assisted in writing the report description; however, the discovery of the issue has been done manually.
Severity
4.2 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.11.3"
},
"package": {
"ecosystem": "Go",
"name": "github.com/caddyserver/caddy/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/caddyserver/caddy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52846"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T21:28:55Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nCaddy\u2019s `stripHTML` template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as `\u003c\u003c\u003eimg src=x onerror=alert()\u003e`, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely.\n\n---\n\n### Details\nThe vulnerability originates from `funcStripHTML` in:\n\n[caddy/caddy/caddyhttp/templates/tplcontext.go](https://github.com/caddyserver/caddy/blob/77e9ce7404c4a76853e101a9f5687a929ee56654/modules/caddyhttp/templates/tplcontext.go)\n\n```go\nfunc (TemplateContext) funcStripHTML(s string) string {\n var buf bytes.Buffer\n var inTag, inQuotes bool\n var tagStart int\n for i, ch := range s {\n if inTag {\n if ch == \u0027\u003e\u0027 \u0026\u0026 !inQuotes {\n inTag = false\n } else if ch == \u0027\u003c\u0027 \u0026\u0026 !inQuotes {\n // false start\n buf.WriteString(s[tagStart:i])\n tagStart = i\n } else if ch == \u0027\"\u0027 {\n inQuotes = !inQuotes\n }\n continue\n }\n if ch == \u0027\u003c\u0027 {\n inTag = true\n tagStart = i\n continue\n }\n buf.WriteRune(ch)\n }\n if inTag {\n // false start\n buf.WriteString(s[tagStart:])\n }\n return buf.String()\n}\n```\n\n### POC\n\nCaddyfile setup\n\n```\n:8080 {\n root * ./site\n file_server\n templates\n}\n```\n\nTemplate file (index.html)\n\n```html\n\u003c!DOCTYPE html\u003e\n\u003chtml lang=\"en\"\u003e\n\u003chead\u003e\n \u003cmeta charset=\"UTF-8\"\u003e\n \u003ctitle\u003eStripHTML Bypass Test\u003c/title\u003e\n\u003c/head\u003e\n\u003cbody\u003e\n \u003cp\u003e{{ stripHTML \"\u003c\u003c\u003eimg src=x onerror=alert(\u0027XSS\u0027)\u003e\" }}\u003c/p\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\nThe payload exploits the false start branch to smuggle a literal \u003c back into the output, then uses the following \u003e to terminate the parser\u2019s tag state, leaving a valid \u003cimg ...\u003e tag behind.\n\nTested in v2.11.3\n\n### Impact\n\nMalformed HTML can bypass stripHTML, potentially allowing arbitrary HTML or JavaScript to be rendered if the output is used unsafely, leading to client-side XSS.\n\n### AI Disclosure\n\nAI assisted in writing the report description; however, the discovery of the issue has been done manually.",
"id": "GHSA-vcc4-2c75-vc9v",
"modified": "2026-06-16T21:28:55Z",
"published": "2026-06-16T21:28:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-vcc4-2c75-vc9v"
},
{
"type": "PACKAGE",
"url": "https://github.com/caddyserver/caddy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Caddy: stripHTML template function bypass"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…