Is this vulnerability remotely exploitable?

Yes. The vulnerable behavior is triggered through HTTP(S) requests, so an attacker who can reach the Caddy server can attempt to exploit it. However, the most severe outcomes (like code execution) usually require that the attacker can also influence files on disk, such as via an upload feature or writable directories.

Does an attacker need authenticated access to exploit it?

Not necessarily. If file uploads or writable directories are exposed to unauthenticated users, then an unauthenticated attacker could potentially craft both the request paths and the uploaded content. In environments where uploads or file write capabilities are restricted to authenticated users, exploitation at the RCE level would typically require those privileges.

What is the safest general fix pattern?

The core fix pattern is to ensure that all path parsing and splitting logic operates on a single, consistent representation of the path. Any transformation that may change string length (such as Unicode case folding) should be applied in a way that does not break index calculations—either by performing both detection and slicing on the same transformed string, or by avoiding index reuse across different representations. Additionally, avoid executing files from locations where untrusted content can be written.

Severity:

CRITICAL RISK

(9.8)

Unicode-Aware Path Normalization Flaw (CWE-20, CWE-180) in Caddy FastCGI Handler

CVE-2026-27590

Published:

Feb 24, 2026

Status:

Analyzed

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

NDV

Recent Vulnerabilities

CWE-77;CWE-78

HIGH RISK

HIGH

(7.3)

OS Command Injection (CWE-78) in Totolink A7100RU setGameSpeedCfg CGI Handler

Remote Code Execution on the Router

April 6, 2026

CWE-77;CWE-78

HIGH RISK

HIGH

(7.3)

OS Command Injection (CWE-78) in Totolink A7100RU setFirewallType Handler

Remote Code Execution on Router Firmware

April 6, 2026

Vulnerability Type

Category:

Input Validation and Path Normalization Error

CWE:

CWE-20;CWE-180

Impact:

Remote Code Execution via Path Confusion in FastCGI/PHP Setups

Severity:

CRITICAL RISK

(9.8)

CVSS Version:

3.1

Vulnerability Type

Category:

Input Validation and Path Normalization Error

CWE:

CWE-20;CWE-180

Impact:

Remote Code Execution via Path Confusion in FastCGI/PHP Setups

Severity:

CRITICAL RISK

(9.8)

CVSS Version:

3.1

Catch This CVE While Code Is Being Written

Detect vulnerable code directly in pull requests, so CVEs are fixed before merge.

Get Started

Ship clean & secure code faster

START 14 DAYS FREE TRIAL

BOOK A DEMO

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Unicode-Aware Path Normalization Flaw (CWE-20, CWE-180) in Caddy FastCGI Handler

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

Recent Vulnerabilities

HIGH RISK

HIGH

(7.3)

OS Command Injection (CWE-78) in Totolink A7100RU setGameSpeedCfg CGI Handler

HIGH RISK

HIGH

(7.3)

OS Command Injection (CWE-78) in Totolink A7100RU setFirewallType Handler

Vulnerability Type

Vulnerability Type

Vulnerability Type

Catch This CVE While Code Is Being Written

Ship clean & secure code faster

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare