What is CVE-2026-52846?

CVE-2026-52846 is a medium-severity vulnerability in Caddyserver Caddy, classified under Improper Encoding or Escaping of Output. CVSS score: 4.2/10. Published 2026-06-23.

How severe is CVE-2026-52846?

Medium severity. CVSS v3 base score is 4.2 out of 10.

Vulnerability in Caddyserver Caddy

CVE-2026-52846

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as <<>img src=x onerror=alert()>, c…

CVSS v3 metric

CVSS v3 base score 4.2 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N.

Affected products

Caddyserver Caddy — versions < 2.11.4

Weakness classification (CWE)

CWE-116 — Improper Encoding or Escaping of Output

References

security-advisories@github.com (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-52846?: CVE-2026-52846 is a medium-severity vulnerability in Caddyserver Caddy, classified under Improper Encoding or Escaping of Output. CVSS score: 4.2/10. Published 2026-06-23.
How severe is CVE-2026-52846?: Medium severity. CVSS v3 base score is 4.2 out of 10.