Prior to 2.11.4, Caddy’s stripHTML template function fails to reliably remove all HTML tags from input strings. Malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This allows client‑side XSS when untrusted strings are rendered unsafely. The vulnerability is fixed in 2.11.4, and the platform uses TLS by default, but the flaw remains until the update. The flaw is an instance of improper string manipulation (CWE‑116).

Affected systems are all installations of Caddy running before the patch release 2.11.4. The vulnerability affects the core server engine supplied by the caddyserver:Caddy CNA, and any instance that uses the stripHTML template helper within its page rendering logic. Version information is limited to the release line; earlier versions (e.g., 2.11.3 and under) are considered vulnerable, while 2.11.4 and later include the fix.

The CVSS score of 4.2 indicates a moderate impact. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no documented exploitation yet. The likely attack vector is an attacker inserting crafted content into a template variable that is renderedoitation requires the ability to influence template input; if the application uses templating to display untrusted data without proper escaping, the vulnerability can be leveraged to execute malicious scripts in users’ browsers.