GO-2026-4535
- Source
- https://pkg.go.dev/vuln/GO-2026-4535
- Import Source
- https://vuln.go.dev/ID/GO-2026-4535.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2026-4535
- Aliases
- Published
- 2026-02-26T16:27:51Z
- Modified
- 2026-02-26T19:11:17.093186Z
- Summary
- Improper sanitization of glob characters in github.com/caddyserver/caddy/v2
- Details
-
Improper sanitization of glob characters in github.com/caddyserver/caddy/v2
- Database specific
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2026-4535" }- References
-
- https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4
- https://caddyserver.com/docs/caddyfile/directives#directive-order
- https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361
- https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L398
- https://github.com/caddyserver/caddy/releases/tag/v2.11.1
Affected packages
Go / github.com/caddyserver/caddy/v2
Package
- Name
- github.com/caddyserver/caddy/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/caddyserver/caddy/v2
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.11.1
Ecosystem specific
{
"imports": [
{
"symbols": [
"FileServer.Provision",
"FileServer.ServeHTTP",
"FileServer.UnmarshalCaddyfile",
"MatchFile.Match",
"MatchFile.MatchWithError",
"MatchFile.Provision",
"MatchFile.UnmarshalCaddyfile",
"MatchFile.Validate"
],
"path": "github.com/caddyserver/caddy/v2/modules/caddyhttp/fileserver"
}
]
}