Summary The FastCGI transport's splitPos() in [modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go](https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go) misuses golang.org/x/…
| CVE ID | CVE-2026-45135 |
| Vendor | go |
| Affected Product | github.com/caddyserver/caddy/v2 |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.1 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
splitPos() in [modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go](https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go) misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treating a non-.php (or other configured split_path extension) file as a script. In any deployment where the attacker can place content into a file served via FastCGI (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This function was adapted from FrankenPHP's code (see [the source comment](https://github.com/Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.