CVE-2026-52846

Name: CVE-2026-52846
Creator: NVD / NIST
Published: 2026-06-23T18:18:05.4+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 4.2/10EPSS 0.15%

Last modified Jun 25, 2026

CVE-2026-52846 is a medium-severity vulnerability rated 4.2/10 on the CVSS scale. Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. EPSS estimates a 0.15% chance of exploitation in the next 30 days.

Description

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely. This vulnerability is fixed in 2.11.4.

Metrics

CVSS 3.1

4.2/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS Probability

0.15%

4.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-116

References

Timeline

Published: Jun 23, 2026
Last Modified: Jun 25, 2026
Status: Undergoing Analysis

Frequently Asked Questions

What is CVE-2026-52846?

How severe is CVE-2026-52846?

CVE-2026-52846 has a CVSS score of 4.2/10 (MEDIUM severity). The EPSS model estimates a 0.15% probability of exploitation in the next 30 days.

How do I fix CVE-2026-52846?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-52846?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST