Vulnerability Reportcaddy:2.11.3-alpine

caddy:2.11.3-alpine
DIGESTsha256:86deaf5e3d3408a6ccec08fbb79989783dd26e206ae10bcf78a801dc8c9ab794

Executive Summary

Last scanned:

Threat Score
50/100CAUTION
Reputation
TRUSTED

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. While no vulnerabilities exceed severity 7.0, there are 7 medium-severity exposures, including CVE-2026-39821 which could allow attackers to bypass hostname-based access controls, and CVE-2026-46597 and CVE-2026-42504 which could cause denial of service. These vulnerabilities are particularly concerning given Caddy's role as a reverse proxy processing external requests. Remediating these vulnerabilities by updating the affected packages is strongly recommended before production deployment.

Vulnerabilities

Vulnerability Log

93 total
CVE IDAdjusted SeverityPackageExploit ProbabilityRisk Context
CVE-2026-39821MEDIUM6.97
golang.org/x/net
v0.53.0
fixed in 0.55.0
0.5%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-46597MEDIUM6.38
golang.org/x/crypto
v0.50.0
fixed in 0.52.0
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-42504MEDIUM6.38
stdlib
v1.26.3
fixed in 1.25.11, 1.26.4
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-34182MEDIUM6.29
libcrypto3
3.5.6-r0
fixed in 3.5.7-r0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-34182MEDIUM6.29
libssl3
3.5.6-r0
fixed in 3.5.7-r0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-42508MEDIUM6.29
golang.org/x/crypto
v0.50.0
fixed in 0.52.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-46595MEDIUM6.03
golang.org/x/crypto
v0.50.0
fixed in 0.52.0
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-39827MEDIUM5.52
golang.org/x/crypto
v0.50.0
fixed in 0.52.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-39834MEDIUM5.52
golang.org/x/crypto
v0.50.0
fixed in 0.52.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-25680MEDIUM5.52
golang.org/x/net
v0.53.0
fixed in 0.55.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-52845MEDIUM5.5
github.com/caddyserver/caddy/v2
v2.11.3
fixed in 2.11.4
0.2%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-34181MEDIUM5.35
libcrypto3
3.5.6-r0
fixed in 3.5.7-r0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-42768MEDIUM5.35
libcrypto3
3.5.6-r0
fixed in 3.5.7-r0
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-34181MEDIUM5.35
libssl3
3.5.6-r0
fixed in 3.5.7-r0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-42768MEDIUM5.35
libssl3
3.5.6-r0
fixed in 3.5.7-r0
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-42502MEDIUM5.18
golang.org/x/net
v0.53.0
fixed in 0.55.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-34986MEDIUM5.1
github.com/go-jose/go-jose/v3
v3.0.4
fixed in 3.0.5
0.7%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-27145MEDIUM5.1
stdlib
v1.26.3
fixed in 1.25.11, 1.26.4
0.9%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-42764MEDIUM5.02
libcrypto3
3.5.6-r0
fixed in 3.5.7-r0
0.7%
Theoretical Threat
Directly Exposed
CVE-2026-42769MEDIUM5.02
libcrypto3
3.5.6-r0
fixed in 3.5.7-r0
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-42770MEDIUM5.02
libcrypto3
3.5.6-r0
fixed in 3.5.7-r0
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-9076MEDIUM5.02
libcrypto3
3.5.6-r0
fixed in 3.5.7-r0
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-42764MEDIUM5.02
libssl3
3.5.6-r0
fixed in 3.5.7-r0
0.7%
Theoretical Threat
Directly Exposed
CVE-2026-42769MEDIUM5.02
libssl3
3.5.6-r0
fixed in 3.5.7-r0
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-42770MEDIUM5.02
libssl3
3.5.6-r0
fixed in 3.5.7-r0
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-9076MEDIUM5.02
libssl3
3.5.6-r0
fixed in 3.5.7-r0
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-7383MEDIUM4.67
libcrypto3
3.5.6-r0
fixed in 3.5.7-r0
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-7383MEDIUM4.67
libssl3
3.5.6-r0
fixed in 3.5.7-r0
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-39833MEDIUM4.67
golang.org/x/crypto
v0.50.0
fixed in 0.52.0
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-42506MEDIUM4.59
golang.org/x/net
v0.53.0
fixed in 0.55.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-42766MEDIUM4.5
libcrypto3
3.5.6-r0
fixed in 3.5.7-r0
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-42767MEDIUM4.5
libcrypto3
3.5.6-r0
fixed in 3.5.7-r0
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-42766MEDIUM4.5
libssl3
3.5.6-r0
fixed in 3.5.7-r0
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-42767MEDIUM4.5
libssl3
3.5.6-r0
fixed in 3.5.7-r0
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-46598MEDIUM4.5
golang.org/x/crypto
v0.50.0
fixed in 0.52.0
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-42505MEDIUM4.5
stdlib
v1.26.3
fixed in 1.25.12, 1.26.5, 1.27.0-rc.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-42507MEDIUM4.5
stdlib
v1.26.3
fixed in 1.25.11, 1.26.4
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-34180MEDIUM4.25
libcrypto3
3.5.6-r0
fixed in 3.5.7-r0
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-34180MEDIUM4.25
libssl3
3.5.6-r0
fixed in 3.5.7-r0
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-52846LOW3.57
github.com/caddyserver/caddy/v2
v2.11.3
fixed in 2.11.4
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-3784LOW3.31
curl
8.17.0-r1
fixed in 8.19.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-5545LOW3.31
curl
8.17.0-r1
fixed in 8.20.0-r0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-6429LOW3.31
curl
8.17.0-r1
fixed in 8.20.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-3784LOW3.31
libcurl
8.17.0-r1
fixed in 8.19.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-5545LOW3.31
libcurl
8.17.0-r1
fixed in 8.20.0-r0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-6429LOW3.31
libcurl
8.17.0-r1
fixed in 8.20.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-3805LOW3.21
curl
8.17.0-r1
fixed in 8.19.0-r0
0.7%
Theoretical Threat
Post-Exploit
CVE-2026-3805LOW3.21
libcurl
8.17.0-r1
fixed in 8.19.0-r0
0.7%
Theoretical Threat
Post-Exploit
CVE-2026-45446LOW3.15
libcrypto3
3.5.6-r0
fixed in 3.5.7-r0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-45446LOW3.15
libssl3
3.5.6-r0
fixed in 3.5.7-r0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-45447LOW2.92
libcrypto3
3.5.6-r0
fixed in 3.5.7-r0
2.7%
Low-Moderate Risk
Post-Exploit
CVE-2026-45447LOW2.92
libssl3
3.5.6-r0
fixed in 3.5.7-r0
2.7%
Low-Moderate Risk
Post-Exploit
CVE-2026-3783LOW2.91
curl
8.17.0-r1
fixed in 8.19.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-3783LOW2.91
libcurl
8.17.0-r1
fixed in 8.19.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-45445LOW2.78
libcrypto3
3.5.6-r0
fixed in 3.5.7-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-45445LOW2.78
libssl3
3.5.6-r0
fixed in 3.5.7-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-33630LOW2.7
c-ares
1.34.6-r0
fixed in 1.34.8-r0
Post-Exploit
CVE-2026-4873LOW2.7
curl
8.17.0-r1
fixed in 8.20.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-6253LOW2.7
curl
8.17.0-r1
fixed in 8.20.0-r0
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-7009LOW2.7
curl
8.17.0-r1
fixed in 8.20.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-7168LOW2.7
curl
8.17.0-r1
fixed in 8.20.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-4873LOW2.7
libcurl
8.17.0-r1
fixed in 8.20.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-6253LOW2.7
libcurl
8.17.0-r1
fixed in 8.20.0-r0
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-7009LOW2.7
libcurl
8.17.0-r1
fixed in 8.20.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-7168LOW2.7
libcurl
8.17.0-r1
fixed in 8.20.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-39828LOW2.69
golang.org/x/crypto
v0.50.0
fixed in 0.52.0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-39832LOW2.66
golang.org/x/crypto
v0.50.0
fixed in 0.52.0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-39831LOW2.48
golang.org/x/crypto
v0.50.0
fixed in 0.52.0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-25681LOW2.48
golang.org/x/net
v0.53.0
fixed in 0.55.0
0.2%
Theoretical Threat
Post-Exploit
CVE-2026-27136LOW2.48
golang.org/x/net
v0.53.0
fixed in 0.55.0
0.2%
Theoretical Threat
Post-Exploit
CVE-2025-14017LOW2.45
curl
8.17.0-r1
fixed in 8.19.0-r0
0.1%
Theoretical Threat
Post-Exploit
CVE-2025-14017LOW2.45
libcurl
8.17.0-r1
fixed in 8.19.0-r0
0.1%
Theoretical Threat
Post-Exploit
CVE-2026-39822LOW2.39
stdlib
v1.26.3
fixed in 1.25.12, 1.26.5, 1.27.0-rc.2
0.2%
Theoretical Threat
Post-Exploit
CVE-2026-5773LOW2.29
curl
8.17.0-r1
fixed in 8.20.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-6276LOW2.29
curl
8.17.0-r1
fixed in 8.20.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-34183LOW2.29
libcrypto3
3.5.6-r0
fixed in 3.5.7-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-5773LOW2.29
libcurl
8.17.0-r1
fixed in 8.20.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-6276LOW2.29
libcurl
8.17.0-r1
fixed in 8.20.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-34183LOW2.29
libssl3
3.5.6-r0
fixed in 3.5.7-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-39829LOW2.29
golang.org/x/crypto
v0.50.0
fixed in 0.52.0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-39830LOW2.29
golang.org/x/crypto
v0.50.0
fixed in 0.52.0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-39835LOW2.29
golang.org/x/crypto
v0.50.0
fixed in 0.52.0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-1965LOW2.08
curl
8.17.0-r1
fixed in 8.19.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2025-14819LOW2.08
curl
8.17.0-r1
fixed in 8.19.0-r0
0.7%
Theoretical Threat
Post-Exploit
CVE-2026-1965LOW2.08
libcurl
8.17.0-r1
fixed in 8.19.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2025-14819LOW2.08
libcurl
8.17.0-r1
fixed in 8.19.0-r0
0.7%
Theoretical Threat
Post-Exploit
CVE-2025-14524LOW1.99
curl
8.17.0-r1
fixed in 8.19.0-r0
0.6%
Theoretical Threat
Post-Exploit
CVE-2025-14524LOW1.99
libcurl
8.17.0-r1
fixed in 8.19.0-r0
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-52844NONE0
github.com/caddyserver/caddy/v2
v2.11.3
fixed in 2.11.4
0.4%
Theoretical Threat
Not Applicable
GO-2026-5932NONE0
golang.org/x/crypto
v0.50.0
No fix yet
Not Applicable
CVE-2026-46600NONE0
golang.org/x/net
v0.53.0
fixed in 0.56.0
Not Applicable
CVE-2026-39824NONE0
golang.org/x/sys
v0.43.0
fixed in 0.44.0
0.1%
Theoretical Threat
Not Applicable
CVE-2026-56852NONE0
golang.org/x/text
v0.36.0
fixed in 0.39.0
Not Applicable

Want to check another image? Run a full scan with the Docker Security Scanner.