Caddy Web Server Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) Vulnerability - CVE-2026-30852

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2 the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like http.request.header.X-Input the header value gets resolved once (expected) then passed through repl.ReplaceAll() again (the bug). This means an attacker can put env.DATABASE_URL or file./etc/passwd in a request header and the server will evaluate it leaking environment variables file contents and system info. This issue has been patched in version 2.11.2.