GO-2026-4537
- Source
- https://pkg.go.dev/vuln/GO-2026-4537
- Import Source
- https://vuln.go.dev/ID/GO-2026-4537.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2026-4537
- Aliases
- Published
- 2026-02-26T16:27:51Z
- Modified
- 2026-02-26T19:10:56.696684Z
- Summary
- Caddy is vulnerable to cross-origin config application via local admin API /load in github.com/caddyserver/caddy/v2
- Details
-
Caddy is vulnerable to cross-origin config application via local admin API /load in github.com/caddyserver/caddy/v2
- Database specific
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2026-4537" }- References
Affected packages
Go / github.com/caddyserver/caddy/v2
Package
- Name
- github.com/caddyserver/caddy/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/caddyserver/caddy/v2
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.11.1
Ecosystem specific
{
"imports": [
{
"path": "github.com/caddyserver/caddy/v2",
"symbols": [
"APIError.Error",
"AdminHandlerFunc.ServeHTTP",
"AppConfigDir",
"AppDataDir",
"BufferedLog",
"ClearLastConfigIfDifferent",
"Context.App",
"Context.AppIfConfigured",
"Context.IdentityCredentials",
"Context.LoadModule",
"Context.LoadModuleByID",
"Context.Logger",
"Context.Slogger",
"Duration.UnmarshalJSON",
"Event.CloudEvent",
"GetModule",
"GetModules",
"HomeDir",
"InstanceID",
"Load",
"Logging.Logger",
"NetworkAddress.Listen",
"NetworkAddress.ListenAll",
"NetworkAddress.ListenQUIC",
"NetworkAddress.String",
"NewContext",
"NewEvent",
"PIDFile",
"ParseDuration",
"ParseNetworkAddress",
"ParseNetworkAddressWithDefaults",
"ParseStructTag",
"ProvisionContext",
"RegisterModule",
"RemoveMetaFields",
"Replacer.Get",
"Replacer.GetString",
"Replacer.ReplaceAll",
"Replacer.ReplaceFunc",
"Replacer.ReplaceKnown",
"Replacer.ReplaceOrErr",
"Run",
"Stop",
"StrictUnmarshalJSON",
"ToString",
"TrapSignals",
"UsagePool.Delete",
"UsagePool.LoadOrNew",
"Validate",
"Version"
]
}
]
}