Which versions of NGINX JavaScript are affected by CVE-2026-8711?

F5 NGINX JavaScript module versions 0.9.4 through 0.9.8 contain a critical vulnerability allowing unauthenticated remote attackers to crash web services and potentially execute code on affected…. A patch is available.

NGINX JavaScript CVE-2026-8711

Q: What is the CVSS score of CVE-2026-8711?

CVE-2026-8711 has a CVSS 4.0 base score of 9.2 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

EUVD-2026-30940 CRITICAL

Heap-based Buffer Overflow (CWE-122)

2026-05-19 f5

GHSA-pj32-6rxc-gcmq

RCE Buffer Overflow Heap Overflow Nginx Suse

9.2

CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 19, 2026 - 15:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 19, 2026 - 15:22 vuln.today

cvss_changed

Severity Changed

May 19, 2026 - 15:22 NVD

HIGH CRITICAL

CVSS changed

May 19, 2026 - 15:22 NVD

8.1 (HIGH) 9.2 (CRITICAL)

Patch available

May 19, 2026 - 15:02 EUVD

Analysis Generated

May 19, 2026 - 15:01 vuln.today

DescriptionNVD

NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Heap buffer overflow in F5 NGINX JavaScript (njs) module versions 0.9.4 through 0.9.8 allows unauthenticated remote attackers to crash NGINX worker processes, with potential remote code execution on hosts where ASLR is disabled. Exploitation requires the deployment to use the js_fetch_proxy directive with at least one client-controlled NGINX variable (such as $http_*, $arg_*, or $cookie_*) and a location that invokes ngx.fetch(). …

RemediationAI

Within 24 hours: Identify all NGINX deployments using njs module versions 0.9.4-0.9.8 with js_fetch_proxy directive enabled. Within 7 days: Deploy F5-released security patch to all affected NGINX installations. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory