CVE-2026-52846

Source
https://cve.org/CVERecord?id=CVE-2026-52846
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52846.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52846
Aliases
Downstream
Published
2026-06-23T17:47:30.387Z
Modified
2026-07-15T01:49:02.869622046Z
Severity
  • 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Caddy: stripHTML template function bypass
Details

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely. This vulnerability is fixed in 2.11.4.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52846.json",
    "cwe_ids": [
        "CWE-116"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/caddyserver/caddy

Affected ranges

Type
GIT
Repo
https://github.com/caddyserver/caddy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.11.4"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*"
}

Affected versions

v2.*
v2.0.0
v2.0.0-beta.13
v2.0.0-beta.14
v2.0.0-beta.15
v2.0.0-beta.16
v2.0.0-beta.17
v2.0.0-beta.18
v2.0.0-beta.19
v2.0.0-beta.20
v2.0.0-beta1
v2.0.0-beta10
v2.0.0-beta11
v2.0.0-beta12
v2.0.0-beta2
v2.0.0-beta3
v2.0.0-beta4
v2.0.0-beta5
v2.0.0-beta6
v2.0.0-beta7
v2.0.0-beta8
v2.0.0-beta9
v2.0.0-rc.1
v2.0.0-rc.2
v2.0.0-rc.3
v2.1.0
v2.1.0-beta.1
v2.1.0-beta.2
v2.1.1
v2.10.0
v2.10.0-beta.1
v2.10.0-beta.2
v2.10.0-beta.3
v2.10.0-beta.4
v2.10.1
v2.10.2
v2.11.0
v2.11.0-beta.1
v2.11.0-beta.2
v2.11.1
v2.11.2
v2.11.3
v2.2.0
v2.2.0-rc.1
v2.2.0-rc.2
v2.2.0-rc.3
v2.2.1
v2.2.3
v2.3.0
v2.3.0-beta.1
v2.3.0-rc.1
v2.3.0-rc.2
v2.4.0
v2.4.0-beta.1
v2.4.0-beta.2
v2.4.0-rc.1
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.5.0
v2.5.0-beta.1
v2.5.0-rc.1
v2.5.1
v2.5.2
v2.6.0
v2.6.0-beta.1
v2.6.0-beta.2
v2.6.0-beta.3
v2.6.0-beta.4
v2.6.0-beta.5
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.7.0
v2.7.0-beta.1
v2.7.0-beta.2
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.8.0
v2.8.0-beta.1
v2.8.0-beta.2
v2.8.0-rc.1
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.9.0
v2.9.0-beta.1
v2.9.0-beta.2
v2.9.0-beta.3
v2.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52846.json"