Vulnerability Reportcaddy:2.10.2

caddy:2.10.2

DIGESTsha256:4c6e91c6ed0e2fa03efd5b44747b625fec79bc9cd06ac5235a779726618e530d

Executive Summary

Threat ScoreDANGEROUS• Official Docker Hub image pinned by digest, but contains critical vulnerabilities.• High-severity CVE-2026-27587 (CVSS 7.73) enables bypass of path-based routing and access controls over the network.• Multiple additional high-severity findings: CVE-2026-27590 (potential RCE via FastCGI path confusion), CVE-2025-68121 (TLS session resumption bypass).• Total of 102 exposed vulnerabilities, including 1 with severity >=7.5 and 33 with severity >=6.• Threat score of 75 indicates dangerous risk level.

75/100DANGEROUS

ReputationOFFICIAL• Official Docker Hub Image• Pinned by digest (Immutable)

TRUSTED

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could bypass path-based routing and access controls to gain unauthorized access to internal routes, or achieve remote code execution if FastCGI is enabled (CVE-2026-27590). While CVE-2026-27590 requires FastCGI configuration, CVE-2026-27587 is exploitable in the default setup. No full mitigation exists for the most critical vulnerability, making the image unsuitable for production.

Vulnerabilities

Vulnerability Log

121 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-27587	HIGH7.73	github.com/caddyserver/caddy/v2 v2.10.2 fixed in 2.11.1	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2025-68121	MEDIUM6.8	stdlib v1.25.0 fixed in 1.24.13, 1.25.7, 1.26.0-rc.3	0.8% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-27590	MEDIUM6.66	github.com/caddyserver/caddy/v2 v2.10.2 fixed in 2.11.1	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-1229	MEDIUM6.66	github.com/cloudflare/circl v1.6.1 fixed in 1.6.3	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-28388	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-27135	MEDIUM6.38	nghttp2-libs 1.65.0-r0 fixed in 1.68.1	0.6% Theoretical Threat	Directly Exposed
CVE-2026-34986	MEDIUM6.38	github.com/go-jose/go-jose/v3 v3.0.4 fixed in 3.0.5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34986	MEDIUM6.38	github.com/go-jose/go-jose/v4 v4.0.5 fixed in 4.1.4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-40898	MEDIUM6.38	github.com/quic-go/quic-go v0.54.0 fixed in 0.59.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-29181	MEDIUM6.38	go.opentelemetry.io/otel v1.37.0 fixed in 1.41.0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-61726	MEDIUM6.38	stdlib v1.25.0 fixed in 1.24.12, 1.25.6	0.8% Theoretical Threat	Directly Exposed
CVE-2025-61729	MEDIUM6.38	stdlib v1.25.0 fixed in 1.24.11, 1.25.5	0.5% Theoretical Threat	Directly Exposed
CVE-2026-25679	MEDIUM6.38	stdlib v1.25.0 fixed in 1.25.8, 1.26.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-32280	MEDIUM6.38	stdlib v1.25.0 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32281	MEDIUM6.38	stdlib v1.25.0 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32283	MEDIUM6.38	stdlib v1.25.0 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33811	MEDIUM6.38	stdlib v1.25.0 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-33814	MEDIUM6.38	stdlib v1.25.0 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2026-39820	MEDIUM6.38	stdlib v1.25.0 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-39836	MEDIUM6.38	stdlib v1.25.0 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2025-58183	MEDIUM6.38	stdlib v1.25.0 fixed in 1.24.8, 1.25.2	0.4% Theoretical Threat	Directly Exposed
CVE-2025-61728	MEDIUM6.38	stdlib v1.25.0 fixed in 1.24.12, 1.25.6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-27586	MEDIUM6.18	github.com/caddyserver/caddy/v2 v2.10.2 fixed in 2.11.1	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-27588	MEDIUM6.18	github.com/caddyserver/caddy/v2 v2.10.2 fixed in 2.11.1	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-4878	MEDIUM5.95	libcap 2.76-r0 fixed in 2.78-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4878	MEDIUM5.95	libcap2 2.76-r0 fixed in 2.78-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-39883	MEDIUM5.95	go.opentelemetry.io/otel/sdk v1.37.0 fixed in 1.43.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-27585	MEDIUM5.52	github.com/caddyserver/caddy/v2 v2.10.2 fixed in 2.11.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27589	MEDIUM5.52	github.com/caddyserver/caddy/v2 v2.10.2 fixed in 2.11.1	0.2% Theoretical Threat	Directly Exposed
CVE-2025-61727	MEDIUM5.52	stdlib v1.25.0 fixed in 1.24.11, 1.25.5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32282	MEDIUM5.44	stdlib v1.25.0 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32289	MEDIUM5.18	stdlib v1.25.0 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6042	MEDIUM4.67	musl 1.2.5-r10 fixed in 1.2.5-r11	0.2% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.3.1-r2 fixed in 1.3.2-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-32288	MEDIUM4.67	stdlib v1.25.0 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2025-47910	MEDIUM4.59	stdlib v1.25.0 fixed in 1.25.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27142	MEDIUM4.59	stdlib v1.25.0 fixed in 1.25.8, 1.26.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39826	MEDIUM4.59	stdlib v1.25.0 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-59530	MEDIUM4.5	github.com/quic-go/quic-go v0.54.0 fixed in 0.49.1, 0.54.1	0.4% Theoretical Threat	Directly Exposed
CVE-2025-64702	MEDIUM4.5	github.com/quic-go/quic-go v0.54.0 fixed in 0.57.0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-47914	MEDIUM4.5	golang.org/x/crypto v0.40.0 fixed in 0.45.0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-58181	MEDIUM4.5	golang.org/x/crypto v0.40.0 fixed in 0.45.0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-47912	MEDIUM4.5	stdlib v1.25.0 fixed in 1.24.8, 1.25.2	0.4% Theoretical Threat	Directly Exposed
CVE-2025-58185	MEDIUM4.5	stdlib v1.25.0 fixed in 1.24.8, 1.25.2	0.5% Theoretical Threat	Directly Exposed
CVE-2025-58187	MEDIUM4.5	stdlib v1.25.0 fixed in 1.24.9, 1.25.3	0.4% Theoretical Threat	Directly Exposed
CVE-2025-58188	MEDIUM4.5	stdlib v1.25.0 fixed in 1.24.8, 1.25.2	0.3% Theoretical Threat	Directly Exposed
CVE-2025-58189	MEDIUM4.5	stdlib v1.25.0 fixed in 1.24.8, 1.25.2	0.4% Theoretical Threat	Directly Exposed
CVE-2025-61723	MEDIUM4.5	stdlib v1.25.0 fixed in 1.24.8, 1.25.2	0.6% Theoretical Threat	Directly Exposed
CVE-2025-61724	MEDIUM4.5	stdlib v1.25.0 fixed in 1.24.8, 1.25.2	0.5% Theoretical Threat	Directly Exposed
CVE-2025-61725	MEDIUM4.5	stdlib v1.25.0 fixed in 1.24.8, 1.25.2	0.6% Theoretical Threat	Directly Exposed
CVE-2025-61730	MEDIUM4.5	stdlib v1.25.0 fixed in 1.24.12, 1.25.6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-58186	MEDIUM4.5	stdlib v1.25.0 fixed in 1.24.8, 1.25.2	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-66406	MEDIUM4.25	github.com/smallstep/certificates v0.28.4 fixed in 0.29.0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-40200	LOW3.98	musl-utils 1.2.5-r10 fixed in 1.2.5-r12	0.1% Theoretical Threat	Post-Exploit
CVE-2026-4878	LOW3.57	libcap-getcap 2.76-r0 fixed in 2.78-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-4878	LOW3.57	libcap-setcap 2.76-r0 fixed in 2.78-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-4878	LOW3.57	libcap-utils 2.76-r0 fixed in 2.78-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW3.15	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-26958	LOW3.15	filippo.io/edwards25519 v1.1.0 fixed in 1.1.1	0.4% Theoretical Threat	Directly Exposed
CVE-2025-44005	LOW3.06	github.com/smallstep/certificates v0.28.4 fixed in 0.29.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-30836	LOW3.06	github.com/smallstep/certificates v0.28.4 fixed in 0.30.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3 3.5.5-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-6042	LOW2.8	musl-utils 1.2.5-r10 fixed in 1.2.5-r11	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33186	LOW2.78	google.golang.org/grpc v1.73.0 fixed in 1.79.3	0.5% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-25793	LOW2.48	github.com/slackhq/nebula v1.9.5 fixed in 1.10.3	0.1% Theoretical Threat	Post-Exploit
CVE-2026-40200	LOW2.39	musl 1.2.5-r10 fixed in 1.2.5-r12	0.1% Theoretical Threat	Post-Exploit
CVE-2026-22184	LOW2.39	zlib 1.3.1-r2 fixed in 1.3.2-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-27139	LOW2.12	stdlib v1.25.0 fixed in 1.25.8, 1.26.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45135	NONE0	github.com/caddyserver/caddy/v2 v2.10.2 fixed in 2.11.3	—	Not Applicable
CVE-2026-45692	NONE0	github.com/caddyserver/caddy/v2 v2.10.2 fixed in 2.11.3	—	Not Applicable
GHSA-gx7w-56w6-g48x	NONE0	github.com/caddyserver/caddy/v2 v2.10.2 fixed in 2.11.3	—	Not Applicable
CVE-2025-62820	NONE0	github.com/slackhq/nebula v1.9.5 fixed in 1.9.7	0.2% Theoretical Threat	Not Applicable
CVE-2026-40097	NONE0	github.com/smallstep/certificates v0.28.4 fixed in 0.30.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-24051	NONE0	go.opentelemetry.io/otel/sdk v1.37.0 fixed in 1.40.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.25.0 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.25.0 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.25.0 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.25.0 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.25.0 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.25.0 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable