Home / Vulnerability Intelligence / CVE-2026-27590

CVE-2026-27590 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: February 25, 2026

Caddy - Path Traversal

Published: February 24, 2026Updated: February 25, 2026PoC AvailableRemote Exploitable

Overview

Caddy < 2.11.1 contains a path confusion vulnerability caused by unsafe FastCGI path splitting logic with Unicode lowercasing, letting attackers cause unintended PHP file execution, exploit requires attacker-controlled file upload.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 12.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute unintended PHP files, potentially leading to remote code execution depending on deployment.

Mitigation

Update to version 2.11.1 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 25, 2026

🔴 CVE-2026-27590 - Critical (9.8) Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original pa... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27590/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-27590
Severity: Critical
CVSS Score: 9.8
Type: path_traversal
Status: confirmed
EPSS: 12.0%
Social Posts: 1

CWE

CWE-20

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

12.0%Probability of exploitation in the next 30 days