CVE-2026-52846
Undergoing Analysis Undergoing Analysis - In Progress
XSS Bypass in Caddy StripHTML Function

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely. This vulnerability is fixed in 2.11.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-52846
EUVD
EUVD-2026-38556
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
caddyserver caddy to 2.11.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Caddy's stripHTML function can lead to client-side cross-site scripting (XSS) by allowing dangerous content to bypass HTML tag stripping. Such XSS vulnerabilities can potentially expose sensitive user data or enable unauthorized actions when untrusted input is rendered unsafely.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the presence of XSS vulnerabilities can impact compliance by risking the confidentiality and integrity of personal or sensitive data handled by affected systems.

Therefore, organizations using affected versions of Caddy should consider this vulnerability as a risk factor for regulatory compliance related to data protection and security, and apply the available patch to mitigate potential issues.

Executive Summary

The CVE-2026-52846 vulnerability affects the stripHTML template function in the Caddy web server. This function is supposed to remove all HTML tags from input strings, but prior to version 2.11.4, it fails to reliably do so.

Certain malformed HTML inputs, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, leaving dangerous content in the output.

If this output is later rendered as HTML without proper sanitization, it can lead to client-side cross-site scripting (XSS) attacks.

The root cause is incorrect handling of false starts in HTML tags within the function's logic.

Impact Analysis

This vulnerability can allow attackers to inject malicious scripts into web pages by bypassing the HTML tag-stripping mechanism.

If untrusted input is rendered unsafely, it can lead to client-side cross-site scripting (XSS), which may result in theft of user data, session hijacking, or other malicious actions executed in the context of the victim's browser.

The vulnerability has a moderate severity with a CVSS score of 4.2 and requires user interaction but no special privileges.

Detection Guidance

This vulnerability affects the stripHTML template function in Caddy versions prior to 2.11.4. To detect if your system is vulnerable, first verify the version of Caddy running on your server.

  • Run the command `caddy version` to check the installed Caddy version.

If the version is earlier than 2.11.4, your system is potentially vulnerable. Additionally, you can test for the vulnerability by sending input containing malformed HTML tags, such as `<<>img src=x onerror=alert()>`, to any functionality that uses the stripHTML template function and observe if the output still contains these tags, indicating the tag-stripping logic is bypassed.

Mitigation Strategies

The immediate mitigation step is to upgrade Caddy to version 2.11.4 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, avoid rendering untrusted input using the stripHTML template function, or implement additional sanitization or escaping mechanisms to prevent client-side XSS.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52846. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart