AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-vcc4-2c75-vc9v: Caddy: stripHTML template function bypass

mediumvulnerability

security

Source: GitHub Advisory DatabaseJune 16, 2026CVE-2026-52846

Summary

Caddy's `stripHTML` template function (a tool that removes HTML tags from text) has a flaw where specially crafted malformed HTML like `<<>img src=x onerror=alert()>` can bypass the tag-removal logic and remain in the output. If this output is then displayed as HTML in a web page, it could allow XSS (cross-site scripting, where an attacker injects malicious code that runs in a user's browser).

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

June 16, 2026

Classification

Attack SophisticationTrivial

Affected Packages

github.com/caddyserver/caddy@<= 1.0.5github.com/caddyserver/caddy/v2@<= 2.11.3 (fixed: 2.11.4)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-vcc4-2c75-vc9v

First tracked: June 16, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 95%