<Vulnerability name="CVE-2026-52846">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-23T17:47:30</PublicDate>
    <Bugzilla id="2491908" url="https://bugzilla.redhat.com/show_bug.cgi?id=2491908" xml:lang="en:us">
github.com/caddyserver/caddy: Caddy: Client-side Cross-Site Scripting (XSS) due to incomplete HTML tag stripping
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>4.2</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-79</CWE>
    <Details xml:lang="en:us" source="Mitre">
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as &lt;&lt;&gt;img src=x onerror=alert()&gt;, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely. This vulnerability is fixed in 2.11.4.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Caddy, an extensible server platform. The `stripHTML` template function, intended to remove HTML tags from input, fails to reliably process certain malformed HTML. This oversight allows dangerous content to remain in the output, which, if subsequently rendered as HTML, can lead to client-side Cross-Site Scripting (XSS). A remote attacker could exploit this by providing specially crafted input, potentially executing malicious scripts in a user's browser.
    </Details>
    <Statement xml:lang="en:us">
Caddy's stripHTML template function fails to reliably strip malformed HTML, which can lead to client-side XSS if untrusted input is rendered through Caddy's `templates` directive. Exploitation requires the `templates` directive to be enabled in a Caddyfile with a template that calls stripHTML on untrusted input; Caddy deployments that only use `file_server` for static asset serving never reach the vulnerable function. All investigated Red Hat Insights/console.redhat.com frontend services build and deploy through a shared Caddyfile-generation pipeline (insights-frontend-builder-common) or an equivalent static-file-only configuration that does not enable `templates`, and are therefore not affected. The general-purpose `caddy` package shipped by Fedora/EPEL may be configured with `templates` by downstream users and is marked affected.
    </Statement>
    <Mitigation xml:lang="en:us">
Users who have enabled Caddy's `templates` directive with untrusted input passed through the stripHTML function should upgrade to Caddy 2.11.4 or later, or disable the `templates` directive if not required.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>caddy</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-52846
https://nvd.nist.gov/vuln/detail/CVE-2026-52846
https://github.com/caddyserver/caddy/security/advisories/GHSA-vcc4-2c75-vc9v
    </References>
</Vulnerability>