Caddy <=2.11.3 StripHTML Vulnerability: Improper Tag Removal Leads to XSS
CVE-2026-52846 Published on June 23, 2026
Caddy: stripHTML template function bypass
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddys stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely. This vulnerability is fixed in 2.11.4.
Vulnerability Analysis
CVE-2026-52846 is exploitable with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-52846. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an Output Sanitization Vulnerability?
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CVE-2026-52846 has been classified to as an Output Sanitization vulnerability or weakness.
Products Associated with CVE-2026-52846
Want to know whenever a new CVE is published for Caddy Server Caddy Web Server? stack.watch will email you.
