CVE-2026-52846
Summary
by MITRE • 06/23/2026
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely. This vulnerability is fixed in 2.11.4.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/23/2026
The vulnerability in Caddy server versions prior to 2.11.4 represents a critical security flaw in the stripHTML template function that undermines the platform's ability to sanitize user input effectively. This issue stems from insufficient HTML parsing logic within the template engine, where the function fails to properly identify and remove all HTML tags from input strings, creating potential attack vectors for malicious actors. The vulnerability specifically manifests when processing malformed HTML constructs that exploit edge cases in the tag-stripping algorithm, allowing dangerous content to persist in the output even after apparent sanitization.
The technical flaw resides in the insufficient implementation of HTML tag removal within Caddy's template processing system, which operates under CWE-79 - Improper Neutralization of Input During Web Page Generation. This weakness creates a direct pathway for cross-site scripting attacks when untrusted input containing malicious HTML elements is processed through the stripHTML function and subsequently rendered in web contexts. The specific malformed HTML example img src=x onerror=alert() demonstrates how certain attribute combinations can bypass the stripping logic, leaving executable JavaScript code embedded within what should be sanitized output. This vulnerability directly aligns with ATT&CK technique T1203 - Exploitation for Client Execution, as it enables attackers to inject and execute malicious scripts in client browsers.
The operational impact of this vulnerability extends beyond simple data corruption, presenting significant risks to web application security and user privacy. When untrusted strings pass through the vulnerable stripHTML function and are later rendered without additional sanitization, users become susceptible to various client-side attacks including session hijacking, credential theft, and malware delivery. The default TLS configuration of Caddy adds an additional layer of complexity since attackers can leverage this vulnerability even in encrypted environments, potentially leading to data exfiltration or command execution on affected systems. Organizations using Caddy versions before 2.11.4 face heightened risk of successful XSS attacks that could compromise user sessions and lead to full system compromise.
Mitigation efforts should prioritize immediate upgrade to Caddy version 2.11.4 or later, which includes the patched stripHTML template function with improved HTML parsing and tag removal logic. Security teams must also implement additional input validation layers at multiple points in their applications, particularly where user-generated content is processed and displayed. Organizations should conduct comprehensive vulnerability assessments to identify any custom templates or applications that might rely on the vulnerable stripHTML functionality, ensuring complete remediation across all affected systems. The fix addresses the root cause by implementing more robust HTML parsing that properly handles malformed constructs and prevents the bypass mechanisms that previously allowed dangerous content to persist in sanitized output.