Vulnerability Reportcaddy:2.11.1

caddy:2.11.1

DIGESTsha256:9068f76202c0a03545036d32bf2d424d3b46c1174f254070f605002a2dbc9657

Executive Summary

CAUTION

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. The primary threat is denial of service from multiple network-accessible vulnerabilities, including OpenSSL CMS processing (CVE-2026-28390) and malformed IPv6 host parsing in net/url (CVE-2026-25679). Disabling HTTP/3 or QUIC support would mitigate DoS from QUIC-specific CVEs, while restricting JOSE functionality can avoid CVE-2026-34986. Note that CVE-2026-25679 is directly exploitable by any HTTP request, requiring no special configuration.

Threat Score

50/100

CAUTION

Official Docker image with high popularity but 73 exposed vulnerabilities, 18 with severity >=6.0.
No high-severity vulnerabilities (max 6.38), but numerous medium-severity DoS flaws across OpenSSL, Go stdlib, QUIC, and JOSE.
Denial-of-service risks from network-accessible attack surface (e.g., CVE-2026-28390, CVE-2026-25679).
Trusted source (Docker Official) and pinned digest reduce supply chain risk.

Reputation

TRUSTED

Docker Official

OFFICIAL

Official Docker Hub Image
Pinned by digest (Immutable)

Vulnerabilities

Vulnerability Log

108 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-28390	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34986	MEDIUM6.38	github.com/go-jose/go-jose/v3 v3.0.4 fixed in 3.0.5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34986	MEDIUM6.38	github.com/go-jose/go-jose/v4 v4.1.3 fixed in 4.1.4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-40898	MEDIUM6.38	github.com/quic-go/quic-go v0.59.0 fixed in 0.59.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-29181	MEDIUM6.38	go.opentelemetry.io/otel v1.40.0 fixed in 1.41.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-25679	MEDIUM6.38	stdlib v1.26.0 fixed in 1.25.8, 1.26.1	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-32280	MEDIUM6.38	stdlib v1.26.0 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32281	MEDIUM6.38	stdlib v1.26.0 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32283	MEDIUM6.38	stdlib v1.26.0 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33811	MEDIUM6.38	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-33814	MEDIUM6.38	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2026-39820	MEDIUM6.38	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-39836	MEDIUM6.38	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4878	MEDIUM5.95	libcap 2.77-r0 fixed in 2.78-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4878	MEDIUM5.95	libcap2 2.77-r0 fixed in 2.78-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-39883	MEDIUM5.95	go.opentelemetry.io/otel/sdk v1.40.0 fixed in 1.43.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33810	MEDIUM5.58	stdlib v1.26.0 fixed in 1.26.2	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-2673	MEDIUM5.52	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32282	MEDIUM5.44	stdlib v1.26.0 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32289	MEDIUM5.18	stdlib v1.26.0 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27137	MEDIUM5.1	stdlib v1.26.0 fixed in 1.26.1	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-31790	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6042	MEDIUM4.67	musl 1.2.5-r21 fixed in 1.2.5-r22	0.2% Theoretical Threat	Directly Exposed
CVE-2026-6042	MEDIUM4.67	musl-utils 1.2.5-r21 fixed in 1.2.5-r22	0.2% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.3.1-r2 fixed in 1.3.2-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-32288	MEDIUM4.67	stdlib v1.26.0 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27142	MEDIUM4.59	stdlib v1.26.0 fixed in 1.25.8, 1.26.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39826	MEDIUM4.59	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-4878	LOW3.57	libcap-getcap 2.77-r0 fixed in 2.78-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-4878	LOW3.57	libcap-setcap 2.77-r0 fixed in 2.78-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-4878	LOW3.57	libcap-utils 2.77-r0 fixed in 2.78-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW3.15	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-27138	LOW3.15	stdlib v1.26.0 fixed in 1.26.1	0.4% Theoretical Threat	Directly Exposed
CVE-2026-30836	LOW3.06	github.com/smallstep/certificates v0.30.0-rc2.0.20260211214201-20608299c29c fixed in 0.30.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3 3.5.5-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-3783	LOW2.91	curl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-3783	LOW2.91	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33186	LOW2.78	google.golang.org/grpc v1.78.0 fixed in 1.79.3	0.5% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2025-14017	LOW2.45	curl 8.17.0-r1 fixed in 8.19.0-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2025-14017	LOW2.45	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-40200	LOW2.39	musl 1.2.5-r21 fixed in 1.2.5-r23	0.1% Theoretical Threat	Post-Exploit
CVE-2026-40200	LOW2.39	musl-utils 1.2.5-r21 fixed in 1.2.5-r23	0.1% Theoretical Threat	Post-Exploit
CVE-2026-22184	LOW2.39	zlib 1.3.1-r2 fixed in 1.3.2-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-28388	LOW2.29	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Post-Exploit
CVE-2026-28389	LOW2.29	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28388	LOW2.29	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Post-Exploit
CVE-2026-28389	LOW2.29	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-27135	LOW2.29	nghttp2-libs 1.68.0-r0 fixed in 1.68.1	0.6% Theoretical Threat	Post-Exploit
CVE-2026-27139	LOW2.12	stdlib v1.26.0 fixed in 1.25.8, 1.26.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-1965	LOW2.08	curl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-14819	LOW2.08	curl 8.17.0-r1 fixed in 8.19.0-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-1965	LOW2.08	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-14819	LOW2.08	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-3784	LOW1.99	curl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-14524	LOW1.99	curl 8.17.0-r1 fixed in 8.19.0-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-3784	LOW1.99	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-14524	LOW1.99	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-3805	LOW1.93	curl 8.17.0-r1 fixed in 8.19.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-3805	LOW1.93	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-45135	NONE0	github.com/caddyserver/caddy/v2 v2.11.1 fixed in 2.11.3	—	Not Applicable
CVE-2026-45692	NONE0	github.com/caddyserver/caddy/v2 v2.11.1 fixed in 2.11.3	—	Not Applicable
GHSA-gx7w-56w6-g48x	NONE0	github.com/caddyserver/caddy/v2 v2.11.1 fixed in 2.11.3	—	Not Applicable
GHSA-wwhq-w58m-w29c	NONE0	github.com/caddyserver/caddy/v2 v2.11.1 No fix yet	—	Not Applicable
CVE-2026-40097	NONE0	github.com/smallstep/certificates v0.30.0-rc2.0.20260211214201-20608299c29c fixed in 0.30.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39882	NONE0	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.16.0 fixed in 0.19.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39882	NONE0	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.40.0 fixed in 1.43.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39882	NONE0	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0 fixed in 1.43.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.0 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.0 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.26.0 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable