Which versions of Nginx are affected by EUVD-2026-14881?

A high-severity buffer overflow in NGINX's DAV module (CVE-2026-27654) poses immediate risk to organizations running vulnerable versions, potentially enabling service disruption or unauthorized file…. A patch is available.

Nginx EUVD-2026-14881

Q: What is the CVSS score of EUVD-2026-14881?

EUVD-2026-14881 has a CVSS 4.0 base score of 8.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-27654 HIGH

Heap-based Buffer Overflow (CWE-122)

2026-03-24 f5

GHSA-6r46-2qjx-j5j3

Buffer Overflow Heap Overflow Nginx Red Hat Suse

8.8

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Apr 10, 2026 - 08:30 nvd

Patch available

EUVD ID Assigned

Mar 24, 2026 - 14:45 euvd

EUVD-2026-14881

Analysis Generated

Mar 24, 2026 - 14:45 vuln.today

CVE Published

Mar 24, 2026 - 14:13 nvd

HIGH 8.8

DescriptionNVD

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside the document root when MOVE/COPY methods are combined with prefix location and alias directives. The vulnerability affects NGINX Open Source and NGINX Plus installations using vulnerable configurations, though the low-privilege worker process context limits the scope of file manipulation. …

RemediationAI

Within 24 hours: Conduct asset inventory to identify all NGINX deployments using DAV modules with prefix locations and alias directives; document exposure scope. Within 7 days: Implement compensating controls (disable DAV methods if not business-critical, apply WAF rules blocking malformed MOVE/COPY requests, isolate affected servers). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory