Skip to main content

Nginx

369 CVEs vendor

Monthly

CVE-2026-60005 HIGH PATCH This Week

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_http_slice_module is compiled in and configured alongside unnamed regex captures, or when a background cache update occurs, letting remote attackers trigger uninitialized memory access (CWE-908) in the data plane. The CVSS:4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with no user interaction, scored 8.8. There is no public exploit identified at time of analysis and no CISA KEV listing; F5 has released a patch and the issue does not affect the control plane.

Nginx Information Disclosure Nginx Plus Nginx Open Source
NVD
CVSS 4.0
8.8
CVE-2026-60065 MEDIUM PATCH This Month

Heap buffer over-read in NGINX Plus's MQTT filter module (ngx_stream_mqtt_filter_module) allows unauthenticated remote attackers to crash the NGINX worker process, causing a brief, recoverable service disruption. The vulnerability is data-plane only - no control plane exposure exists - and exploitation depends partly on runtime conditions outside the attacker's control, reflected by the CVSS 4.0 AT:P metric. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; F5 has released a patch documented in advisory K000162101.

Nginx Buffer Overflow Information Disclosure Nginx Plus
NVD
CVSS 4.0
6.3
CVE-2026-56434 HIGH PATCH This Week

Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-middle attacker who can control upstream responses corrupt worker-process memory or crash the worker, but only in the non-default configuration combining Server-Side Includes, proxy_pass, and proxy_buffering off. The impact is confined to the data plane with no control-plane exposure, yielding limited memory modification and worker restarts (denial of service) rather than full code execution. No public exploit identified at time of analysis, though a vendor patch is available and the flaw carries a CVSS 4.0 score of 8.3.

Nginx Use After Free Memory Corruption Information Disclosure Nginx Plus +1
NVD
CVSS 4.0
8.3
CVE-2026-42533 CRITICAL PATCH Act Now

Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (DoS) and, on hosts with ASLR disabled or bypassed, potentially execute arbitrary code by sending crafted HTTP requests. The flaw is a data-plane-only issue triggered when a regex-based map directive references the map's regex capture variables before the map output variable in a string expression, or via a non-cacheable variable under certain conditions. F5 has released a patched version; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Nginx Heap Overflow Buffer Overflow RCE Nginx Plus +1
NVD
CVSS 4.0
9.2
CVE-2026-60062 MEDIUM PATCH This Month

Path traversal in F5 NGINX Agent via the config_dirs directive enables a remotely authenticated low-privileged attacker to read and write files outside of the directories designated as secure in the agent's configuration. The config_dirs directive can be set directly in the NGINX Agent configuration or through NGINX Instance Manager, expanding the attack surface across both products. No public exploit code or active exploitation has been identified at time of analysis, and a vendor patch is available per F5 advisory K000161971.

Nginx Path Traversal Nginx Agent Nginx Instance Manager
NVD
CVSS 4.0
5.3
CVE-2026-52865 HIGH PATCH This Week

Denial of service in F5 NGINX Ingress Controller allows an authenticated remote attacker holding write access to Ingress or TransportServer resources to crash the control plane by submitting a malformed resource. Because the offending resource persists in the cluster, the controller re-reads it and re-crashes, producing a durable crash loop rather than a one-time outage. There is no public exploit identified at time of analysis, and impact is confined to the control plane with no data plane or confidentiality/integrity exposure.

Nginx Denial Of Service Null Pointer Dereference Nginx Ingress Controller
NVD
CVSS 4.0
7.1
CVE-2026-55723 HIGH PATCH This Week

Configuration injection in F5 NGINX Ingress Controller lets an authenticated Kubernetes user with rights to create or modify Ingress CRDs or annotations smuggle arbitrary NGINX directives into the generated configuration. Because multiple user-controllable fields are written to the config without sanitization, an attacker can inject directives that create or delete files and disable services on the control plane. No public exploit identified at time of analysis; this is a control-plane-only issue with no data plane exposure, but the CVSS 4.0 score of 8.7 (High) reflects strong confidentiality and integrity impact.

Nginx Kubernetes Code Injection Nginx Ingress Controller
NVD
CVSS 4.0
8.7
CVE-2026-49972 HIGH PATCH This Week

Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

PHP Nginx RCE File Upload Apache +1
NVD GitHub
CVSS 4.0
7.7
EPSS
0.8%
CVE-2026-52747 HIGH PATCH This Week

WAF filtering bypass in OWASP ModSecurity (libmodsecurity) before 3.0.16 lets remote unauthenticated attackers smuggle malicious payloads past inspection rules by exploiting a multipart/form-data parser differential. The engine silently strips embedded line breaks from non-file form-field values before populating ARGS and ARGS_POST, so any rule whose detection depends on a newline (e.g. command, header, or injection syntax spanning a line break) fails to match while the backend still receives and acts on the intact payload. No public exploit identified at time of analysis, but the CVSS base score of 8.6 reflects a scope-changing integrity impact on every application shielded by an affected deployment.

Information Disclosure Nginx Apache Modsecurity
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.5%
CVE-2026-52761 MEDIUM PATCH This Month

WAF rule bypass in ModSecurity 3.0.0-3.0.15 on i386 architecture allows network-accessible attackers to evade rules that use the t:utf8toUnicode transformation, potentially permitting injection attacks or other malicious payloads to reach protected applications undetected. The root cause is CWE-467 - sizeof() applied to a char pointer in utf8_to_unicode.cc yields the pointer width (4 bytes on i386) rather than the unicode buffer length, corrupting transformation output. No public exploit code or active exploitation has been identified at time of analysis; the fix is available in v3.0.16.

Authentication Bypass Nginx Apache Modsecurity
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-53727 Ruby HIGH POC PATCH GHSA This Week

Server-side request forgery (and cross-scheme local file disclosure) in the Ruby css_parser gem (all versions prior to 3.0.0) lets an attacker who can land a single @import url(...) rule in parsed CSS force the server to issue arbitrary HTTP/HTTPS GETs to any internal host, port or IP, and — via an attacker-controlled 302 redirect to a file:// URI — read local files. Premailer-style consumers that re-emit the parsed CSS into rendered HTML/email leak any CSS-shaped response bytes back to the attacker, turning this into a data-exfiltration channel rather than a blind SSRF. No public CVSS is published and it is not in CISA KEV, but a complete working proof-of-concept (poc.rb) is included in the advisory, so publicly available exploit code exists.

Kubernetes Hashicorp SSRF Canonical Nginx +5
NVD GitHub
CVE-2026-54652 HIGH This Week

{service} endpoint to download raw Frigate and nginx logs. Those logs record request query strings containing auto-generated admin passwords and camera credentials, so a viewer can harvest them and re-authenticate as administrator. No public exploit identified at time of analysis, but the flaw is mechanically trivial to abuse once any viewer session exists, and no fixed release has been identified.

Privilege Escalation Nginx
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-53518 npm HIGH PATCH GHSA This Week

Single-use authorization-code enforcement can be bypassed under concurrency in the better-auth OAuth provider (@better-auth/oauth-provider 1.6.0 through 1.6.10, the embedded plugin in better-auth 1.4.8-beta.7 through 1.6.10, and the legacy oidc-provider and mcp plugins). Because the POST /oauth2/token authorization_code grant redeems the code via a non-atomic find-then-delete, two concurrent requests carrying the same code both pass the read step and each mint a fresh access, refresh, and id token for the original user's scope. No public exploit is identified at time of analysis and it is not in CISA KEV, but the vendor rates it CVSS 4.0 7.6 (High) with high confidentiality and integrity impact.

Authentication Bypass Nginx Redis Microsoft
NVD GitHub
CVSS 4.0
7.6
CVE-2026-53646 HIGH This Week

Account takeover in FOSSBilling 0.5.6 through 0.7.2 arises because the reset_password guest API endpoint reuses an existing, unexpired ClientPasswordReset token rather than rotating it on each request. An attacker who has captured a victim's earlier reset link retains a valid path to hijack the account even after the victim requests a fresh reset, since the original token is never invalidated and its 15-minute window is anchored to the first request. No public exploit is identified at time of analysis, and the CVSS 4.0 score is 7.7 (High); version 0.8.0 fixes the flaw.

Information Disclosure Nginx Apache
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-54617 Maven CRITICAL GHSA Act Now

Arbitrary file read in GravitLauncher LaunchServer ≤ 5.7.11 lets an unauthenticated remote attacker retrieve any file readable by the server process via a path-traversal in the default-enabled HTTP file server on port 9274. Because the exposed files include the ECDSA key that signs access JWTs (.keys/ecdsa_id), the refresh-token salt, and database credentials, the flaw escalates from information disclosure to a full authentication bypass allowing forged admin tokens. Publicly available exploit code exists (a raw-socket PoC in the advisory); the issue is not listed in CISA KEV and no active exploitation is confirmed.

Path Traversal Authentication Bypass Nginx Java Information Disclosure
NVD GitHub
CVSS 3.1
9.8
CVE-2026-58467 HIGH POC PATCH This Week

Arbitrary file disclosure and PHP local file inclusion in Cockpit CMS before release 364 lets unauthenticated remote attackers read files outside the web root and, on certain server setups, cause the application to include() attacker-chosen .php files. The flaw stems from unvalidated PATH_INFO (derived from REQUEST_URI) being used to build filesystem paths without containment checks. Publicly available exploit code exists; it is not listed in CISA KEV and no EPSS score was provided.

Path Traversal Nginx PHP Cockpit
NVD GitHub
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-45045 Go MEDIUM PATCH GHSA This Month

IP header spoofing in GoFiber's BalancerForward proxy middleware allows any remote unauthenticated attacker to inject a forged X-Real-IP header that upstream servers treat as authoritative. The middleware calls Header.Add() rather than Header.Set() when stamping the real client IP, causing the attacker-supplied value to remain as the first header instance - the one read by nginx, Express, Apache, and most HTTP servers for rate limiting, IP-based ACLs, and audit logging. No public exploit has been identified at time of analysis, but exploitation requires only the ability to set an arbitrary HTTP header, making this trivially accessible to any network attacker targeting deployments using the BalancerForward helper.

Authentication Bypass Nginx Node.js Apache
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-5524 CRITICAL Act Now

Arbitrary file upload leading to remote code execution in the Divi Form Builder WordPress plugin (versions through 5.1.8) lets unauthenticated attackers upload executable PHP files and run arbitrary code on the server. Attacker-controlled input from the acceptFileTypes POST parameter is interpolated directly into the file-validation regex in do_image_upload(), allowing alternate PHP extensions (.phtml, .phar, .php5, .php7) that evade the plugin's .php-only .htaccess block - and on Nginx the .htaccess protection does not apply at all. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 9.8 rating and Wordfence's technical disclosure make this a high-priority patching target.

WordPress Nginx PHP RCE File Upload +1
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-58446 MEDIUM POC PATCH This Month

Authentication bypass in Presenton's bundled MCP server exposes server and Docker deployments to unauthenticated remote exploitation via the unprotected /mcp endpoint. When operators configure session authentication using AUTH_USERNAME/AUTH_PASSWORD, nginx enforces access control on all paths except /mcp, which is absent from the auth_request gate - and the MCP server compounds this by auto-minting valid internal session tokens for the configured user on any incoming request. An unauthenticated remote attacker can therefore invoke MCP tools such as generate_presentation as if fully authenticated, consuming the operator's LLM API keys and writing arbitrary presentations to the instance. A publicly available proof-of-concept exists; no active exploitation confirmed in CISA KEV.

Authentication Bypass Nginx Docker Presenton
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-44163 Ruby MEDIUM PATCH GHSA This Month

Memory exhaustion in fluent-plugin-opentelemetry versions 0.5.2 and earlier allows unauthenticated remote attackers to crash the Fluentd process by sending an oversized HTTP request body or a decompression bomb to the `in_opentelemetry` HTTP input endpoint (default port 4318). The plugin reads and decompresses the entire payload into memory without enforcing size thresholds, enabling an OOM kill of Fluentd and complete disruption of log collection and forwarding on the affected node. No public exploit code or CISA KEV listing has been identified at time of analysis.

Nginx Denial Of Service
NVD GitHub
CVSS 3.1
5.3
CVE-2026-44160 Ruby HIGH PATCH GHSA This Week

Denial of service in Fluentd (rubygems package, versions <= 1.19.2) lets remote attackers crash the log collector by sending a gzip decompression bomb to the in_http (default port 9880) or in_forward (default port 24224) plugins. Although Fluentd enforces body_size_limit and chunk_size_limit on the compressed payload, it applies no ceiling on the decompressed output, so a tiny crafted payload expands in memory until the OS OOM-kills the process. No public exploit identified at time of analysis and it is not in CISA KEV, but EPSS-style risk is bounded by the requirement that an input port be reachable from an untrusted network.

Nginx Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-54762 Go MEDIUM PATCH GHSA This Month

The Kubernetes Ingress NGINX provider in Traefik v3.7.0-ea.1 through v3.7.4 fails open when BasicAuth or DigestAuth cannot be installed because the referenced auth-secret is unresolvable, silently publishing the intended-to-be-protected backend route without any authentication middleware to unauthenticated network clients. Operators who explicitly configure auth via nginx.ingress.kubernetes.io/auth-type and auth-secret annotations are left with a live, fully accessible backend route while Traefik logs a single controller-level error and routes traffic normally - a direct violation of the declared security intent. A detailed proof-of-concept covering eight distinct secret-failure scenarios was developed by the reporter and confirmed on both current master and v3.7.1; no public release of exploit code is confirmed and no CISA KEV listing exists at time of analysis.

Nginx Kubernetes Denial Of Service Docker Red Hat +1
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.2%
CVE-2026-55791 PHP MEDIUM PATCH GHSA This Month

Server-Side Request Forgery and arbitrary JavaScript injection in Craft CMS 4.x (before 4.18) and 5.x (before 5.10) allow remote unauthenticated attackers to poison the Host or X-Forwarded-Host header against the /actions/app/resource-js endpoint, forcing the backend Guzzle client to proxy attacker-controlled content as application/javascript. When the instance sits behind a caching layer, this chains into web cache poisoning, stored XSS in the Control Panel, and 1-click RCE via session-riding the plugin install action. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c55v-343g-5xff) provides detailed exploitation mechanics.

SSRF RCE Apache XSS Nginx
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-47256 Go MEDIUM PATCH GHSA This Month

Path traversal and query-string injection in the OpenTelemetry Collector Contrib Sentry exporter allows any OTLP span sender to redirect the collector's operator bearer token to arbitrary Sentry API endpoints - including privileged admin, organization, and member management endpoints. The vulnerability stems from the `service.name` span attribute being interpolated directly into Sentry API URLs via `fmt.Sprintf` without validation, while the existing `projectSlugRegexp` safeguard is only applied to operator-configured mappings and never to runtime-derived slugs. No CISA KEV listing exists at time of analysis, but the GHSA advisory provides detailed exploitation steps demonstrating both a universally reliable query-string injection vector and a nginx-dependent path traversal vector, with a fixed version available at 0.154.0.

Path Traversal Nginx Kubernetes
NVD GitHub
CVSS 3.1
5.3
CVE-2026-32682 HIGH This Week

Denial-of-service in F5 NGINX Gateway Fabric allows an authenticated Kubernetes user with rights to create or modify GRPCRoute resources to crash the control plane by submitting GRPCRoute objects containing malformed backendRef filters. The flaw, tracked under CWE-129 (Improper Validation of Array Index), carries a CVSS 4.0 score of 7.1 with pure availability impact and no public exploit identified at time of analysis.

Nginx Information Disclosure Nginx Gateway Fabric
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-50107 HIGH This Week

Configuration injection in F5 NGINX Gateway Fabric allows an authenticated Kubernetes user with permission to create or modify NginxProxy Custom Resource Definitions to inject arbitrary NGINX directives into generated configuration files via the unsanitized access log format setting. The flaw resides in the control plane configuration generator and affects deployments using NGINX Plus or NGINX Open Source as the data plane. There is no public exploit identified at time of analysis, and CVSS 4.0 rates the impact at 8.6 (High) driven by high confidentiality and integrity loss on the vulnerable system.

Nginx Code Injection Nginx Gateway Fabric
NVD VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-11311 HIGH This Week

Configuration injection in F5 NGINX Gateway Fabric lets an authenticated Kubernetes user who can create or modify NginxProxy or AuthenticationFilter Custom Resources inject arbitrary NGINX directives into generated data-plane configuration. The flaw lives in the control-plane config generator, which renders the serverTokens and extraAuthArgs fields into NGINX templates without escaping, so any tenant holding RBAC rights over these CRDs can rewrite the NGINX Plus config that gets deployed. There is no public exploit identified at time of analysis and EPSS is low (0.36%), but SSVC rates the technical impact as total.

Nginx Code Injection Nginx Gateway Fabric
NVD VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-48142 MEDIUM PATCH This Month

Heap buffer over-read in NGINX Plus and NGINX Open Source's ngx_http_charset_module exposes limited worker process memory or triggers a worker restart when remote unauthenticated attackers send crafted requests against a non-default charset conversion configuration. Exploitation requires both a specific dual-directive configuration (source_charset utf-8 alongside a differing charset directive such as koi8-r in the same location block) and content-dependent conditions outside the attacker's direct control, reflected in the CVSS AC:H rating. No public exploit code exists and this CVE does not appear in the CISA KEV catalog; the vendor F5 has published advisory K000161585 with patched version guidance.

Nginx Information Disclosure Buffer Overflow Nginx Open Source Nginx Plus +2
NVD VulDB
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-42055 CRITICAL POC PATCH NEWS Act Now

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic upstream when ignore_invalid_headers is off and large_client_header_buffers exceeds 2 MB. Remote unauthenticated attackers sending oversized headers can crash the worker process, and where ASLR is disabled or bypassable, achieve arbitrary code execution. No public exploit identified at time of analysis and CISA SSVC marks exploitation as 'none', but technical impact is rated total.

Nginx Heap Overflow Buffer Overflow Nginx Open Source Nginx Plus
NVD VulDB GitHub
CVSS 4.0
9.2
EPSS
0.6%
CVE-2026-42530 CRITICAL POC PATCH NEWS Act Now

Use-after-free in NGINX Open Source's ngx_http_v3_module allows remote unauthenticated attackers to crash worker processes and potentially execute arbitrary code on hosts where HTTP/3 QUIC is enabled. Exploitation requires a specially crafted HTTP/3 session that reopens a QPACK encoder stream, with code execution contingent on ASLR being disabled or bypassed; no public exploit identified at time of analysis, though SSVC technical impact is rated total.

Nginx Use After Free Memory Corruption Authentication Bypass Nginx Open Source
NVD VulDB GitHub
CVSS 4.0
9.2
EPSS
0.8%
CVE-2026-48746 PyPI CRITICAL PATCH GHSA Act Now

Authentication bypass in vLLM versions 0.3.0 through 0.21.x allows remote unauthenticated attackers to reach OpenAI-compatible API endpoints without supplying the configured VLLM_API_KEY by injecting URL-special characters into the HTTP Host header. The flaw stems from vLLM's AuthenticationMiddleware reconstructing the request URL via starlette's URL(scope) - which trusts an unsanitized Host value - while FastAPI routing uses the raw HTTP path, producing a mismatch the attacker controls. No public exploit identified at time of analysis, but x41-dsec disclosed full technical details and a vendor-released patch is available in 0.22.0.

Nginx Authentication Bypass Request Smuggling
NVD GitHub
CVSS 3.1
9.1
EPSS
0.7%
CVE-2026-48818 PyPI HIGH PATCH GHSA This Week

Server-side request forgery in Starlette's StaticFiles on Windows allows unauthenticated remote attackers to coerce the application process into making outbound SMB connections to attacker-controlled hosts, leaking the service account's NTLMv2 hash for offline cracking or NTLM relay. The flaw affects all Starlette versions before 1.1.0 (including downstream frameworks like FastAPI) when running on Windows in the default follow_symlink=False configuration, and no public exploit identified at time of analysis though the GHSA advisory provides full technical detail sufficient to reproduce.

Python Nginx Microsoft SSRF
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-50892 MEDIUM This Month

Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request.

Nginx N A Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-53999 Go HIGH PATCH GHSA This Week

Cross-tenant container deletion in the Radius Kubernetes controller (versions <= v0.57.1) allows a tenant with Deployment annotation-edit rights to coerce the high-privilege controller into deleting another tenant's container resource by injecting a forged radapp.io/status JSON blob. The flaw is a classic Confused Deputy (CWE-441/CWE-20) that yields an availability-only impact, is most severe in multi-tenant installs, and currently has publicly available exploit code via the GHSA advisory but no public exploit identified at time of analysis in CISA KEV.

Privilege Escalation Nginx Kubernetes
NVD GitHub
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-47768 Go MEDIUM PATCH GHSA This Month

Sensitive information disclosure in nebula-mesh (all versions ≤ v0.3.1) leaks newly-minted 32-byte operator API bearer tokens into browser URL history, cross-origin Referer headers, and reverse-proxy access logs by embedding the raw token in a 303 redirect query string. Any actor with read access to nginx combined-format logs, CDN logs, or browser history backup storage can harvest the token and impersonate the operator via the API. A secondary CWE-116 flaw in the same handler omits url.QueryEscape on the user-supplied key name, enabling query-string corruption and potential header injection in older proxies. No public exploit identified at time of analysis; a detailed step-by-step reproducer is included in the GitHub Security Advisory GHSA-9pg3-25fq-p6cc. Fix is available in v0.3.2.

Nginx Information Disclosure
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45569 HIGH This Week

Path traversal in Roxy-WI versions 8.2.6.4 and prior allows authenticated remote attackers to read arbitrary configuration files via the config_file_name and configver parameters. The vendor's attempted fix in commit d4d10006 is ineffective due to a logic error - it uses Python tuple-membership instead of substring containment - leaving all realistic '../' payloads unblocked, with no public exploit identified at time of analysis.

Path Traversal Nginx Apache
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-45567 HIGH This Week

Authentication bypass in Roxy-WI versions 8.2.6.4 and prior allows remote unauthenticated attackers to reach protected API functionality by including the 'api' substring in the URL, with the /api/gpt endpoint specifically exposed without authentication. The flaw carries a CVSS 8.3 with scope change and affects a web management interface for HAProxy, Nginx, Apache, and Keepalived, and no public exploit has been identified at time of analysis. No vendor-released patch exists at time of publication, making this a high-priority issue for any internet-exposed installation.

Authentication Bypass Nginx Apache
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-45566 MEDIUM This Month

Open redirect in Roxy-WI versions 8.2.6.4 and prior allows unauthenticated remote attackers to silently redirect authenticated users to attacker-controlled domains by exploiting a bypass in the login flow's URL filter. The filter blocks `next` parameter values containing `http://` or `https://` substrings but does not account for RFC-3986 userinfo@host syntax; submitting `next=@evil.example/path` causes the server to construct `https://victim.example@evil.example/path`, which modern browsers route to `evil.example`. No public exploit code has been identified at time of analysis, no patch is available, and this vulnerability is not listed in CISA KEV.

Nginx Open Redirect Apache
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-45565 HIGH This Week

Path traversal bypass in Roxy-WI versions 8.2.6.4 and earlier allows authenticated remote attackers to escape input sanitization in the EscapedString Pydantic validator and inject shell metacharacters alongside '..' sequences. The flaw stems from a flawed if/elif/elif/else control flow that strips metacharacters without re-enforcing the '..' block, and the result is never shlex-quoted before reaching downstream command contexts. No public exploit identified at time of analysis, and no vendor-released patch identified at time of analysis.

Information Disclosure Nginx Apache
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-45564 HIGH This Week

Authenticated command injection in Roxy-WI versions 8.2.6.4 and prior allows low-privileged users (role <= 3, 'user') to execute arbitrary OS commands by abusing the configver URL-path parameter on POST /config/versions/<service>/<server_ip>/<configver>/save, which flows unsanitized into an os.system() call wrapping dos2unix. No public exploit identified at time of analysis, but the GHSA advisory is published and no vendor patch exists, leaving exposed instances at immediate risk of full compromise of the management interface host.

Command Injection Nginx Apache
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-45563 MEDIUM This Month

Roxy-WI 8.2.6.4 and prior exposes a broken object-level authorization flaw in its audit history endpoint, allowing any authenticated user to read any other user's full action audit trail. The GET /history/user/<server_ip> endpoint conflates the server_ip path parameter with a user identifier and performs no authorization check, meaning a guest account in an unrelated group can enumerate administrators' operational history including server IPs touched, configs deployed, and services restarted. No patch is available at time of publication; no public exploit code or active exploitation has been identified.

Authentication Bypass Nginx Apache
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45561 MEDIUM This Month

{version,uptime,status,checks}/<server_ip>` route family passes the Flask URL path parameter directly into a Python `requests.get()` call without any allowlist or blocklist validation, making IPv4 literals such as 169.254.169.254, RFC1918 ranges, and 127.0.0.1 all valid targets. No publicly available patches exist at time of analysis, and no public exploit code or CISA KEV listing has been identified.

Python Nginx SSRF Apache
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45560 MEDIUM This Month

Stored cross-site scripting in Roxy-WI 8.2.6.4 and prior allows any unauthenticated remote attacker who can send HTTP requests to a managed HAProxy or Nginx load balancer to inject malicious payloads into server access logs, which then execute in the browser of any Roxy-WI administrator who opens the log viewer. The vulnerability stems from unsanitized HTML concatenation in the Python backend combined with unsafe jQuery .html()/.append() rendering on the frontend - a classic stored XSS with a changed scope (S:C) because the attacker's input, written via the load balancer, achieves code execution in the privileged admin web UI context. No publicly available patches exist at time of analysis; no public exploit code or CISA KEV listing has been identified.

XSS Nginx Apache
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-45559 MEDIUM This Month

LDAP injection in Roxy-WI 8.2.6.4 and prior exposes LDAP directory attributes to authenticated administrators who can manipulate search filter logic via the username URL path parameter. The vulnerable function get_ldap_email (app/modules/roxywi/user.py:120-157) constructs LDAP queries through unsanitized f-string concatenation, enabling injection of additional filter clauses such as *)(mail=*)(cn=* to enumerate or harvest attributes beyond the intended user record. No patch is available at time of publication, and no public exploit identified at time of analysis.

Code Injection Nginx Apache LDAP
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-45558 CRITICAL Act Now

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated low-privilege users (role ≤ 3) to inject arbitrary HAProxy directives via unvalidated JSON option fields in the HAProxy section-save API endpoints, achieving command execution as the haproxy user on every managed load balancer. No public exploit has been identified at time of analysis, but the attack is straightforward given the documented injection path through the section.j2, global.j2, and defaults.j2 Ansible templates, and no vendor-released patch is available.

RCE Nginx Apache
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-45556 CRITICAL Act Now

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated users to write attacker-controlled content to arbitrary absolute paths on managed load balancers via the WAF rule save endpoint. By dropping a malicious cron file (e.g., /etc/cron.d/nginx_cfg_evil), an attacker achieves root-level code execution on every load balancer in the caller's group. No public exploit identified at time of analysis, and no vendor-released patch is currently available, making this a high-priority issue for any exposed deployment.

Information Disclosure Nginx Apache
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-45550 CRITICAL Act Now

Cross-tenant data tampering in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user to silently overwrite HTTP, TCP, Ping, and DNS monitoring checks belonging to other tenants by sending a crafted PUT /smon/check request with another tenant's smon_id. The flaw stems from missing user_group authorization on the UPDATE SQL path (CWE-639, IDOR), while the DELETE path is correctly filtered - confirming the maintainers knew the right pattern but failed to apply it on update. No public exploit identified at time of analysis, and no vendor-released patch is available, raising operational risk for multi-tenant deployments.

Authentication Bypass Nginx Apache
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-45549 HIGH This Week

Privilege escalation in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - including the lowest-privilege 'guest' role 4 - to start, stop, or restart the roxy-wi-smon-agent systemd unit on arbitrary managed servers, with the action executing as root via Roxy-WI's passwordless sudo SSH credentials. The flaw stems from missing role and group-ownership checks on the agent_action endpoint, and no public exploit has been identified at time of analysis though the vulnerability is trivially reachable once an account exists.

Authentication Bypass Nginx Apache
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-45552 CRITICAL Act Now

Privilege escalation and cross-tenant compromise in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - including the default guest role 4 - to install or reconfigure exporters, WAF, and GeoIP databases on every managed server regardless of tenant ownership. Because the affected installer endpoints lack role and group decorators, low-privilege users can pivot through stored SSH credentials with sudo to achieve root-level command execution on HAProxy/Nginx/Apache hosts belonging to other tenants. No public exploit identified at time of analysis, but the issue is unpatched and rated CVSS 9.9.

Authentication Bypass Nginx Apache
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-40519 HIGH PATCH This Week

Authenticated remote code execution in Nginx Proxy Manager versions 2.9.14 through 2.15.1 allows users holding the certificates:manage permission to inject arbitrary OS commands via the dns_provider_credentials field, which executes on backend restart as the service account. No public exploit has been identified at time of analysis, but the vendor patch (commit a5db5ed) and a VulnCheck advisory disclose the exact sink (child_process.exec in setupCertbotPlugins), making weaponization straightforward. CVSS 7.5 (AV:N/AC:H/PR:L) reflects the authentication and timing prerequisites rather than reduced impact - successful exploitation yields full code execution on the proxy host.

RCE Nginx Command Injection Nginx Proxy Manager
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-43926 MEDIUM PATCH This Month

Password reset token enumeration in FOSSBilling prior to 0.8.0 exposes three authentication endpoints - including the elevated-privilege admin reset at `/staff/email/:hash` - to unlimited brute-force guessing due to a rate limiter architecturally scoped exclusively to `/api/*` routes. The confirmation endpoint acts as a CWE-204 oracle, returning distinguishable HTTP responses (200 for valid tokens, 302 redirect for invalid), allowing an unauthenticated remote attacker to probe token validity without throttling, lockout, or attempt counting. Practical exploitation risk is substantially reduced by 256-bit token entropy (`hash('sha256', random_bytes(32))`) combined with a 15-minute expiry window, which is accurately reflected in the CVSS 4.0 AC:H/AT:P scoring; no public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Oracle Apache Nginx Fossbilling
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-44182 PyPI CRITICAL PATCH GHSA Act Now

YAML injection in Jupyter Enterprise Gateway prior to 3.3.0 allows attackers controlling KERNEL_* environment variables submitted via the /api/kernels endpoint to manipulate Kubernetes manifest rendering, escalating to privileged pod creation and full cluster compromise. The Jinja2 template at kernel-pod.yaml.j2 interpolates untrusted values without YAML-aware escaping, allowing both key overwrites (e.g., securityContext) and multi-document YAML injection to spawn arbitrary Pods, Secrets, PVCs, PVs, Services, and ConfigMaps. A detailed proof-of-concept is published in the GHSA advisory, though no CISA KEV listing or in-the-wild exploitation has been confirmed at time of analysis.

Kubernetes Nginx RCE
NVD GitHub
EPSS
0.1%
CVE-2026-49975 HIGH POC PATCH This Week

Denial of service in Apache HTTP Server 2.4.17 through 2.4.67 (via the bundled mod_http2 module) allows remote unauthenticated attackers to exhaust server memory by sending crafted HTTP/2 requests whose cookie headers are not correctly counted against LimitRequestFields. Publicly available exploit code exists and a third-party write-up describes a 'hidden HTTP/2 bomb,' but EPSS exploitation probability is currently very low (0.02%, 5th percentile) and the CVE is not on the CISA KEV list.

Apache Denial Of Service Http Server Nginx Debian Linux
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-47203 Go LOW PATCH GHSA Monitor

Brute force regulation bypass in Authelia's Basic Auth flow (versions 4.38.0-4.39.19) allows unauthenticated remote attackers to partially circumvent account lockout controls by submitting login attempts using case variants of a target username (e.g., 'john', 'John', 'JOHN'). Because Authelia passes the raw Authorization header username to the regulation system without canonicalization, and LDAP backends treat these as the same identity while the regulation SQL queries treat them as distinct, each casing variant occupies a separate ban bucket - multiplying the effective attempt quota before lockout triggers. No public exploit identified at time of analysis, and the CVSSv4 weighted score of 2.9 (Low) reflects the narrow exploitation conditions required and the lack of attacker feedback during exploitation.

Information Disclosure Nginx
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2026-9508 CRITICAL PATCH Act Now

Unauthenticated backup file disclosure in Suprema BioStar 2 server (versions 2.9.3 through 2.9.11) allows remote attackers to download sensitive backup ZIP archives directly via predictable '/download/' URLs when the administrator places the backup path inside the NGINX webroot. The exposed archives can contain database credentials and cryptographic material enabling server impersonation, database compromise, and lateral movement. No public exploit identified at time of analysis, but SSVC rates the flaw as automatable with total technical impact and CVSS 4.0 scores it 10.0.

Authentication Bypass Nginx
NVD
CVSS 4.0
10.0
EPSS
0.1%
CVE-2026-45725 PyPI HIGH PATCH GHSA This Week

Arbitrary file write in the compliance-trestle Python library (versions 4.0.0-4.0.2 and any release below 3.12.2) lets an attacker who controls a referenced OSCAL artifact plant attacker-supplied content anywhere the trestle process can write. The HTTPSFetcher and SFTPFetcher cache layer builds the local cache file path directly from the URL path component, so when trestle imports a remote OSCAL profile whose href contains `../` traversal the fetched HTTP/SFTP response body escapes the .trestle cache directory; overwriting files such as /etc/cron.d entries, ~/.ssh/authorized_keys, or a module on sys.path turns the primitive into code execution. A reproducible public proof-of-concept exists in the GHSA advisory (GHSA-g3vg-vx23-3858); the flaw is not listed in CISA KEV and no CVSS or EPSS scoring is provided, but the maintainers have shipped fixes in 4.0.3 and 3.12.2.

IBM RCE Python Nginx Path Traversal
NVD GitHub
EPSS
0.0%
CVE-2026-46529 HIGH PATCH This Week

Command injection in Atril (MATE document viewer) and related forks Evince/Xreader allows attackers to execute arbitrary shell commands when a victim opens a maliciously crafted document. The fix, shipped in Atril 1.26.3 and 1.28.4, quotes user-supplied strings passed to the ev_spawn command line, indicating unsanitized input was being interpolated into a spawned subprocess. No public exploit identified at time of analysis, but disclosure on oss-security and Debian LTS advisories suggests Linux desktop distributions are actively patching.

Command Injection Nginx Apache
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-9256 CRITICAL POC PATCH Act Now

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated remote attackers sending crafted HTTP requests that target rewrite directives using overlapping PCRE captures (e.g., $1$2 referencing ^/((.*))$) in redirect or arguments contexts. Impact ranges from worker process crash/restart to arbitrary code execution where ASLR is disabled or bypassed; publicly available exploit code exists, though EPSS exploitation probability is low (0.15%, 35th percentile) and the issue is not in CISA KEV.

Buffer Overflow Nginx Heap Overflow Nginx Plus Nginx Open Source
NVD VulDB GitHub
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-8711 CRITICAL PATCH Act Now

Heap buffer overflow in F5 NGINX JavaScript (njs) module versions 0.9.4 through 0.9.8 allows unauthenticated remote attackers to crash NGINX worker processes, with potential remote code execution on hosts where ASLR is disabled. Exploitation requires the deployment to use the js_fetch_proxy directive with at least one client-controlled NGINX variable (such as $http_*, $arg_*, or $cookie_*) and a location that invokes ngx.fetch(). No public exploit identified at time of analysis, but a vendor patch is available and the CVSS 4.0 base score of 9.2 reflects the high impact across confidentiality, integrity, and availability.

RCE Buffer Overflow Nginx Heap Overflow
NVD VulDB
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-45578 PHP HIGH GHSA This Week

Remote code execution in AVideo streaming platform allows authenticated users with streaming privileges to execute arbitrary OS commands through shell metacharacter injection in the Live plugin. The vulnerability exists in the on_publish.php webhook endpoint which builds shell commands using unsafe string concatenation instead of proper escaping, allowing attackers to inject commands via specially crafted stream keys containing single quotes. While the CVSS indicates low privileges required (authenticated users with canStream permission), the impact is severe as it grants full web server user access.

Command Injection Apache Nginx RCE PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44883 Go HIGH PATCH GHSA This Week

Token leakage in Portainer's authentication middleware allows JWT bearer tokens passed via the `?token=<JWT>` URL query parameter to be harvested from reverse-proxy access logs, browser history, and HTTP Referer headers, enabling account takeover for the validity window of the token (default 8 hours). The flaw affected any user with container exec/attach rights - not just administrators - and a leaked admin token grants full control of Portainer and every managed Docker/Kubernetes environment. No public exploit identified at time of analysis, though the underlying behavior was present since JWT auth was introduced and the GitHub Security Advisory provides sufficient detail to weaponize.

Kubernetes Docker Information Disclosure Nginx
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-46356 Go MEDIUM PATCH GHSA This Month

Fleet instances fail to validate the origin of client IP headers (True-Client-IP, X-Real-IP, X-Forwarded-For) before using them for API rate limiting, allowing unauthenticated attackers to bypass per-IP brute-force protections on sensitive endpoints such as login by rotating header values across requests. This vulnerability primarily affects Fleet deployments directly exposed to the internet without a reverse proxy that overwrites forwarded headers; instances behind properly configured proxies or WAFs have reduced exposure.

Authentication Bypass Nginx
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-42926 MEDIUM PATCH This Month

NGINX Open Source configured to proxy HTTP/2 traffic with proxy_http_version set to 2 combined with proxy_set_body allows remote unauthenticated attackers to inject frame headers and payload bytes to upstream peers, enabling potential header injection or request manipulation attacks. The vulnerability affects default configurations without requiring authentication or user interaction, with CVSS 5.8 indicating moderate integrity impact across networked systems. No public exploit code or active exploitation has been confirmed at this time.

Code Injection Nginx Nginx Open Source
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-40460 MEDIUM PATCH This Month

NGINX Plus and NGINX Open Source configured with the HTTP/3 QUIC module allows unauthenticated remote attackers to spoof source IP addresses, enabling bypass of authorization checks and rate-limiting controls. The vulnerability affects both commercial and open-source variants when QUIC is explicitly enabled, with patches available from F5.

Authentication Bypass Nginx Nginx Plus Nginx Open Source
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-42946 HIGH PATCH This Week

Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle position between NGINX and upstream servers to read worker process memory or crash the service. Affects both NGINX Open Source and NGINX Plus when scgi_pass or uwsgi_pass directives are configured. The vulnerability requires network positioning between NGINX and its backend servers (AV:N with AT:P - Present attack complexity), making exploitation dependent on network architecture. No public exploit identified at time of analysis. CVSS 8.3 (High) reflects potential for confidential data exposure but limited by MITM prerequisite.

Information Disclosure Nginx Nginx Plus Nginx Open Source
NVD VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-42934 MEDIUM PATCH This Month

Heap buffer over-read in NGINX's ngx_http_charset_module allows unauthenticated remote attackers to leak sensitive memory or crash worker processes when specific configuration directives (charset, source_charset, charset_map, and proxy_pass with buffering disabled) are combined. The vulnerability requires attacker-controlled conditions that depend on factors outside the attacker's control, limiting exploitability but creating real risk for affected deployments. CVSS 4.8 reflects the conditional nature of exploitation and limited scope of impact (information disclosure or availability).

Information Disclosure Buffer Overflow Nginx Nginx Plus Nginx Open Source
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-42945 CRITICAL POC PATCH CISA NEWS Act Now

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker processes and potentially execute code on systems without ASLR. The vulnerability requires specific rewrite directive configurations using PCRE captures with question marks in replacement strings, combined with attacker-crafted HTTP requests and conditions beyond the attacker's control. F5 has released patches addressing this critical flaw. EPSS data unavailable; no KEV listing or public exploit identified at time of analysis, though the specific configuration requirements and dependency on external conditions likely limit widespread exploitation despite the 9.2 CVSS score.

Heap Overflow RCE Buffer Overflow Nginx Nginx Plus +1
NVD GitHub VulDB HeroDevs
CVSS 4.0
9.2
EPSS
0.2%
Threat
5.3
CVE-2026-40701 MEDIUM PATCH This Month

Heap-use-after-free in NGINX Plus and NGINX Open Source allows unauthenticated remote attackers to trigger memory corruption in the worker process when ssl_verify_client is set to 'on' or 'optional' and ssl_ocsp is configured with a resolver. Exploitation can cause limited information disclosure or worker process restart, with CVSS 4.8 reflecting moderate impact constrained by high attack complexity. No public exploit code or active exploitation has been identified at time of analysis.

Information Disclosure Use After Free Memory Corruption Nginx Nginx Plus +1
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-39806 HIGH PATCH GHSA This Week

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection. A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement. This issue affects bandit: from 1.6.1 before 1.11.1.

Denial Of Service Nginx
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-42268 HIGH PATCH This Week

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator) uses a rule any of @verifySSN, @verifyCPF, or @verifySVNR. This vulnerability is fixed in 3.0.15.

Integer Overflow Apache Information Disclosure Nginx Red Hat +1
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-44015 Go HIGH GHSA This Week

Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network segmentation and enabling access to services bound to localhost or internal networks.

SSRF Nginx
NVD GitHub VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-8430 CRITICAL PATCH Act Now

SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through specific nginx configuration scenarios to achieve code execution, and this issue is not mitigated by the SPIP security screen.

Nginx Code Injection RCE
NVD VulDB
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-42581 Maven CRITICAL PATCH GHSA Act Now

HTTP request smuggling in Netty's netty-codec-http (HttpObjectDecoder) lets remote attackers desynchronize message boundaries by sending an HTTP/1.0 request carrying both Transfer-Encoding: chunked and Content-Length. Netty's anti-smuggling sanitization that strips the conflicting Content-Length header only runs for HTTP/1.1, so on HTTP/1.0 Netty parses the body as chunked while leaving Content-Length intact for any downstream Content-Length-first proxy, which then treats trailing chunk bytes as a new request. Publicly available exploit code exists (a working EmbeddedChannel PoC test), but EPSS is very low (0.03%, 8th percentile) and it is not in CISA KEV.

Authentication Bypass Request Smuggling Java Nginx
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-42559 LIB HIGH POC PATCH GHSA This Week

DNS rebinding in rmcp Rust crate allows malicious websites to control local MCP servers and achieve arbitrary code execution through exposed developer tools. Fixed in version 1.4.0 via Host header validation with loopback-only default allowlist. The vulnerability affects Streamable HTTP server transport only (stdio and child-process transports unaffected). Vendor-released patch available (PR #764, commit 8e22aa2). Similar vulnerabilities patched across TypeScript, Python, Go, and Java MCP SDKs indicate coordinated disclosure. CVSS 8.8 (network vector, low complexity, requires user interaction) reflects browser-mediated attack requiring victim to visit attacker site.

Python RCE Java Nginx
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43873 PHP HIGH PATCH GHSA This Week

Unauthenticated information disclosure in AVideo CloneSite plugin (versions ≤29.0) leaks the installation's shared secret authentication key through an error message, enabling attackers to impersonate the victim installation to its federated clone server and trigger a full database dump into a publicly accessible directory. The vulnerability chains two flaws: cloneClient.json.php echoes the local myKey credential in HTTP responses to any unauthenticated request due to incorrect $argv handling in web contexts, and the remote cloneServer.json.php then accepts this leaked key to authenticate mysqldump operations without IP restrictions or access controls on the resulting dump files. Patch available via GitHub commit e6566f56. No evidence of active exploitation (not in CISA KEV); EPSS data not provided. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact from direct credential exposure plus cross-site database access in federated deployments.

PHP Information Disclosure Nginx
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30923 HIGH PATCH This Week

Worker process crashes occur in ModSecurity (libmodsecurity3) when processing query string parameters containing single characters through the t:hexDecode transformation function. Remote unauthenticated attackers can trigger repeated segmentation faults to disrupt web application firewall protection, though service automatically recovers once the attack ceases. All libmodsecurity3 versions before 3.0.15 are affected across Apache, IIS, and Nginx deployments. OWASP confirmed the vulnerability via GitHub security advisory GHSA-qrjc-3jpc-3h2g and released patch version 3.0.15 addressing this buffer overflow (CWE-125: Out-of-bounds Read).

Suse Denial Of Service Apache Buffer Overflow Nginx +2
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-42606 PHP HIGH PATCH GHSA This Week

Password reset poisoning in AzuraCast versions ≤0.23.5 allows remote attackers to achieve full account takeover via client-supplied X-Forwarded-Host header injection. The ApplyXForwarded middleware lacks trusted proxy validation, enabling unauthenticated attackers to poison password reset URLs sent to victims. When victims click the poisoned link, their reset token is exfiltrated to attacker-controlled infrastructure. The attacker then redeems the token on the legitimate instance to reset the victim's password and unconditionally destroy their 2FA configuration, bypassing multi-factor authentication protections. Vendor-confirmed patch released in version 0.23.6. No public exploit identified at time of analysis. CVSS 8.1 reflects network attack vector with user interaction required (clicking email link). The vulnerability is limited to deployments using the default Docker configuration with nginx+PHP-FPM where fastcgi_pass forwards client headers unfiltered.

Docker CSRF PHP Nginx
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42238 Go CRITICAL PATCH GHSA Act Now

Remote code execution as root in nginx-ui versions before 2.3.8 via unauthenticated backup restore within 10-minute startup window. Attackers exploit the completely unauthenticated /api/restore endpoint during initial installation to upload malicious backup archives that overwrite app.ini configuration with injected OS commands in TestConfigCmd setting. After automatic application restart, command injection triggers with privileges of the nginx-ui process - typically root in Docker deployments. EPSS data not available; no active exploitation reported but publicly disclosed via GitHub Security Advisory GHSA-4pvg-prr3-9cxr. Patch released in version 2.3.8.

Command Injection Nginx RCE Docker Code Injection
NVD GitHub VulDB
CVSS 4.0
9.0
EPSS
0.2%
CVE-2026-42223 Go MEDIUM POC PATCH GHSA This Month

nginx-ui versions prior to 2.3.8 expose 40+ protected configuration fields through the GetSettings API to authenticated users, including JwtSecret (auth token forgery), NodeSecret (cluster impersonation), and OIDC ClientSecret (OAuth takeover). The protected tag is enforced only during writes but completely ignored during reads, allowing authenticated attackers to extract sensitive secrets and IP whitelist configurations without requiring additional privileges or user interaction.

Information Disclosure Nginx
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42222 Go HIGH GHSA This Week

Unauthenticated bootstrap takeover in nginx-ui 2.3.5 allows remote attackers to hijack the initial installation process via crafted POST requests to /api/install endpoint. An attacker who successfully exploits the installation window gains full administrative control over the nginx-ui instance before legitimate administrators complete setup. No vendor-released patch identified at time of analysis, creating extended exposure risk for newly deployed instances.

Authentication Bypass Nginx
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42221 Go HIGH PATCH GHSA This Week

Unauthenticated attackers can hijack the administrator account during nginx-ui's first-run installation window by claiming the /api/install endpoint before legitimate operators. This race-condition vulnerability in nginx-ui versions 2.0.0 through 2.3.7 bypasses authentication controls entirely, allowing complete instance takeover with attacker-controlled credentials. The request-encryption mechanism protects only transit confidentiality, not authorization. Attack complexity is rated HIGH due to the narrow time window between deployment and legitimate setup completion. EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis, but exploitation requires only standard HTTP tools and timing.

Authentication Bypass Nginx
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-42220 Go MEDIUM POC PATCH GHSA This Month

nginx-ui prior to version 2.3.8 exposes sensitive configuration values including node.secret via an authenticated GET /api/settings endpoint, allowing an authenticated user to retrieve the shared authentication secret and subsequently impersonate the init administrative user by sending requests with the stolen node.secret via the X-Node-Secret header or node_secret query parameter. This enables privilege escalation and full administrative access to the Nginx configuration interface without additional authentication.

Information Disclosure Nginx
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7381 CRITICAL Act Now

Plack::Middleware::XSendfile through version 1.0053 allows remote unauthenticated attackers to read arbitrary files from nginx-proxied servers by injecting malicious X-Sendfile-Type and X-Accel-Mapping headers. When the middleware's sendfile type is not explicitly configured, clients can force nginx's X-Accel-Redirect mode and manipulate path mappings to access sensitive files outside intended directories. The middleware has been deprecated as of version 1.0053 and will be removed in future Plack releases. EPSS score of 0.01% suggests low current exploitation activity despite the high CVSS 9.1 rating. No public exploit code identified at time of analysis, though the attack technique mirrors the documented CVE-2025-61780 vulnerability in Rack::Sendfile.

Information Disclosure Nginx
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-35051 Go HIGH PATCH GHSA This Week

Authentication bypass in Traefik's ForwardAuth middleware allows remote attackers to spoof the X-Forwarded-Prefix header and gain unauthorized access to protected backend routes when deployed behind trusted upstream proxies. Despite trustForwardHeader=false configuration, Traefik fails to sanitize attacker-controlled X-Forwarded-Prefix values in authentication subrequests, enabling attackers to impersonate trusted path prefixes (e.g., /admin) and bypass authorization checks in the authentication service. The vulnerability affects Traefik v2.x and v3.x series and is confirmed patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. No KEV listing or EPSS data available at time of analysis, but a detailed proof-of-concept with complete Docker reproduction environment is publicly available in the GitHub advisory, significantly lowering exploitation complexity for attackers.

Docker Nginx Authentication Bypass Python
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.0%
CVE-2026-41432 Go HIGH PATCH GHSA This Week

Attackers can forge Stripe webhook events to obtain unlimited API quota without payment in QuantumNous new-api (Go package github.com/QuantumNous/new-api). The vulnerability exploits an empty default webhook secret that allows HMAC signature forgery, missing payment status validation, and cross-gateway order fulfillment logic that permits completing orders created through any payment provider (Epay, Creem, Waffo) via fabricated Stripe callbacks. Virtually all deployments with any payment method enabled are vulnerable in default configuration. Fixed in version 0.12.10. No public exploit code identified at time of analysis, but the detailed advisory includes a proof-of-concept pseudocode demonstrating the attack chain. CVSS 7.1 (High) with low attack complexity and low privileges required indicates practical exploitation risk for deployed instances.

Google Nginx Python RCE
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-33208 HIGH PATCH This Week

Command injection in Roxy-WI versions prior to 8.2.6.4 enables authenticated attackers to execute arbitrary OS commands with sudo privileges on managed servers. The vulnerability stems from unsanitized input in the /config/<service>/find-in-config endpoint that breaks out of grep command context during remote SSH execution. A proof-of-concept exploit exists (CVSS E:P), and the CVSS 4.0 score of 7.4 reflects network-based attack with low complexity requiring only low-privilege authentication. Vendor-released patch 8.2.6.4 available via GitHub commit 02f147d.

RCE Nginx Command Injection Apache
NVD GitHub
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-33078 HIGH PATCH This Week

SQL injection in Roxy-WI versions before 8.2.6.4 allows remote unauthenticated attackers to execute arbitrary SQL commands via the server_ip parameter in the haproxy_section_save function. The vulnerability stems from unsanitized URL path parameters being directly interpolated into SQL queries using Python string formatting. Proof-of-concept code exists (CVSS E:P), and the CVSS 4.0 score of 8.9 with network vector (AV:N), low complexity (AC:L), and no authentication (PR:N) indicates a critical, easily exploitable vulnerability. Vendor-released patch available in version 8.2.6.4.

Nginx SQLi Python Apache
NVD GitHub
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-33077 HIGH PATCH This Week

Arbitrary file read in Roxy-WI versions before 8.2.6.4 allows unauthenticated remote attackers to access sensitive files on the server via path traversal in the oldconfig parameter of the haproxy_section_save interface. This CVSS:4.0 vector indicates zero attack complexity and no prerequisites, enabling trivial exploitation to exfiltrate configuration files, credentials, or private keys. GitHub Security Advisory confirms the vulnerability with proof-of-concept exploitation status (E:P), representing immediate risk for exposed Roxy-WI management interfaces.

Nginx Apache Path Traversal
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-33076 HIGH PATCH This Week

Remote code execution in Roxy-WI versions before 8.2.6.4 allows unauthenticated attackers to write malicious code into scheduled tasks via path traversal in the haproxy_section_save interface. The vulnerability chains CWE-22 path traversal with cron job manipulation, enabling arbitrary command execution on servers managing HAProxy, Nginx, Apache, and Keepalived infrastructure. CVSS 8.9 with network attack vector and no privileges required indicates critical risk, though EPSS data and KEV status are unavailable to confirm active exploitation.

RCE Nginx Apache Path Traversal
NVD GitHub
CVSS 4.0
8.9
EPSS
0.5%
CVE-2026-33432 HIGH This Week

LDAP injection in Roxy-WI web management interface (all versions through 8.2.8.2) allows complete authentication bypass when LDAP authentication is enabled. Unauthenticated remote attackers can inject LDAP filter metacharacters into the username field to manipulate directory queries and access the application without valid credentials. Proof-of-concept code exists (CVSS:4.0 E:P). No vendor patch available at time of publication, affecting production deployments managing Haproxy, Nginx, Apache, and Keepalived infrastructure.

Apache Authentication Bypass Nginx
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVSS 8.8
HIGH PATCH This Week

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_http_slice_module is compiled in and configured alongside unnamed regex captures, or when a background cache update occurs, letting remote attackers trigger uninitialized memory access (CWE-908) in the data plane. The CVSS:4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with no user interaction, scored 8.8. There is no public exploit identified at time of analysis and no CISA KEV listing; F5 has released a patch and the issue does not affect the control plane.

Nginx Information Disclosure Nginx Plus +1
NVD
CVSS 6.3
MEDIUM PATCH This Month

Heap buffer over-read in NGINX Plus's MQTT filter module (ngx_stream_mqtt_filter_module) allows unauthenticated remote attackers to crash the NGINX worker process, causing a brief, recoverable service disruption. The vulnerability is data-plane only - no control plane exposure exists - and exploitation depends partly on runtime conditions outside the attacker's control, reflected by the CVSS 4.0 AT:P metric. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; F5 has released a patch documented in advisory K000162101.

Nginx Buffer Overflow Information Disclosure +1
NVD
CVSS 8.3
HIGH PATCH This Week

Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-middle attacker who can control upstream responses corrupt worker-process memory or crash the worker, but only in the non-default configuration combining Server-Side Includes, proxy_pass, and proxy_buffering off. The impact is confined to the data plane with no control-plane exposure, yielding limited memory modification and worker restarts (denial of service) rather than full code execution. No public exploit identified at time of analysis, though a vendor patch is available and the flaw carries a CVSS 4.0 score of 8.3.

Nginx Use After Free Memory Corruption +3
NVD
CVSS 9.2
CRITICAL PATCH Act Now

Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (DoS) and, on hosts with ASLR disabled or bypassed, potentially execute arbitrary code by sending crafted HTTP requests. The flaw is a data-plane-only issue triggered when a regex-based map directive references the map's regex capture variables before the map output variable in a string expression, or via a non-cacheable variable under certain conditions. F5 has released a patched version; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Nginx Heap Overflow Buffer Overflow +3
NVD
CVSS 5.3
MEDIUM PATCH This Month

Path traversal in F5 NGINX Agent via the config_dirs directive enables a remotely authenticated low-privileged attacker to read and write files outside of the directories designated as secure in the agent's configuration. The config_dirs directive can be set directly in the NGINX Agent configuration or through NGINX Instance Manager, expanding the attack surface across both products. No public exploit code or active exploitation has been identified at time of analysis, and a vendor patch is available per F5 advisory K000161971.

Nginx Path Traversal Nginx Agent +1
NVD
CVSS 7.1
HIGH PATCH This Week

Denial of service in F5 NGINX Ingress Controller allows an authenticated remote attacker holding write access to Ingress or TransportServer resources to crash the control plane by submitting a malformed resource. Because the offending resource persists in the cluster, the controller re-reads it and re-crashes, producing a durable crash loop rather than a one-time outage. There is no public exploit identified at time of analysis, and impact is confined to the control plane with no data plane or confidentiality/integrity exposure.

Nginx Denial Of Service Null Pointer Dereference +1
NVD
CVSS 8.7
HIGH PATCH This Week

Configuration injection in F5 NGINX Ingress Controller lets an authenticated Kubernetes user with rights to create or modify Ingress CRDs or annotations smuggle arbitrary NGINX directives into the generated configuration. Because multiple user-controllable fields are written to the config without sanitization, an attacker can inject directives that create or delete files and disable services on the control plane. No public exploit identified at time of analysis; this is a control-plane-only issue with no data plane exposure, but the CVSS 4.0 score of 8.7 (High) reflects strong confidentiality and integrity impact.

Nginx Kubernetes Code Injection +1
NVD
EPSS 1% CVSS 7.7
HIGH PATCH This Week

Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

PHP Nginx RCE +3
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

WAF filtering bypass in OWASP ModSecurity (libmodsecurity) before 3.0.16 lets remote unauthenticated attackers smuggle malicious payloads past inspection rules by exploiting a multipart/form-data parser differential. The engine silently strips embedded line breaks from non-file form-field values before populating ARGS and ARGS_POST, so any rule whose detection depends on a newline (e.g. command, header, or injection syntax spanning a line break) fails to match while the backend still receives and acts on the intact payload. No public exploit identified at time of analysis, but the CVSS base score of 8.6 reflects a scope-changing integrity impact on every application shielded by an affected deployment.

Information Disclosure Nginx Apache +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

WAF rule bypass in ModSecurity 3.0.0-3.0.15 on i386 architecture allows network-accessible attackers to evade rules that use the t:utf8toUnicode transformation, potentially permitting injection attacks or other malicious payloads to reach protected applications undetected. The root cause is CWE-467 - sizeof() applied to a char pointer in utf8_to_unicode.cc yields the pointer width (4 bytes on i386) rather than the unicode buffer length, corrupting transformation output. No public exploit code or active exploitation has been identified at time of analysis; the fix is available in v3.0.16.

Authentication Bypass Nginx Apache +1
NVD GitHub VulDB
HIGH POC PATCH This Week

Server-side request forgery (and cross-scheme local file disclosure) in the Ruby css_parser gem (all versions prior to 3.0.0) lets an attacker who can land a single @import url(...) rule in parsed CSS force the server to issue arbitrary HTTP/HTTPS GETs to any internal host, port or IP, and — via an attacker-controlled 302 redirect to a file:// URI — read local files. Premailer-style consumers that re-emit the parsed CSS into rendered HTML/email leak any CSS-shaped response bytes back to the attacker, turning this into a data-exfiltration channel rather than a blind SSRF. No public CVSS is published and it is not in CISA KEV, but a complete working proof-of-concept (poc.rb) is included in the advisory, so publicly available exploit code exists.

Kubernetes Hashicorp SSRF +7
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

{service} endpoint to download raw Frigate and nginx logs. Those logs record request query strings containing auto-generated admin passwords and camera credentials, so a viewer can harvest them and re-authenticate as administrator. No public exploit identified at time of analysis, but the flaw is mechanically trivial to abuse once any viewer session exists, and no fixed release has been identified.

Privilege Escalation Nginx
NVD GitHub
CVSS 7.6
HIGH PATCH This Week

Single-use authorization-code enforcement can be bypassed under concurrency in the better-auth OAuth provider (@better-auth/oauth-provider 1.6.0 through 1.6.10, the embedded plugin in better-auth 1.4.8-beta.7 through 1.6.10, and the legacy oidc-provider and mcp plugins). Because the POST /oauth2/token authorization_code grant redeems the code via a non-atomic find-then-delete, two concurrent requests carrying the same code both pass the read step and each mint a fresh access, refresh, and id token for the original user's scope. No public exploit is identified at time of analysis and it is not in CISA KEV, but the vendor rates it CVSS 4.0 7.6 (High) with high confidentiality and integrity impact.

Authentication Bypass Nginx Redis +1
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

Account takeover in FOSSBilling 0.5.6 through 0.7.2 arises because the reset_password guest API endpoint reuses an existing, unexpired ClientPasswordReset token rather than rotating it on each request. An attacker who has captured a victim's earlier reset link retains a valid path to hijack the account even after the victim requests a fresh reset, since the original token is never invalidated and its 15-minute window is anchored to the first request. No public exploit is identified at time of analysis, and the CVSS 4.0 score is 7.7 (High); version 0.8.0 fixes the flaw.

Information Disclosure Nginx Apache
NVD GitHub VulDB
CVSS 9.8
CRITICAL Act Now

Arbitrary file read in GravitLauncher LaunchServer ≤ 5.7.11 lets an unauthenticated remote attacker retrieve any file readable by the server process via a path-traversal in the default-enabled HTTP file server on port 9274. Because the exposed files include the ECDSA key that signs access JWTs (.keys/ecdsa_id), the refresh-token salt, and database credentials, the flaw escalates from information disclosure to a full authentication bypass allowing forged admin tokens. Publicly available exploit code exists (a raw-socket PoC in the advisory); the issue is not listed in CISA KEV and no active exploitation is confirmed.

Path Traversal Authentication Bypass Nginx +2
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Arbitrary file disclosure and PHP local file inclusion in Cockpit CMS before release 364 lets unauthenticated remote attackers read files outside the web root and, on certain server setups, cause the application to include() attacker-chosen .php files. The flaw stems from unvalidated PATH_INFO (derived from REQUEST_URI) being used to build filesystem paths without containment checks. Publicly available exploit code exists; it is not listed in CISA KEV and no EPSS score was provided.

Path Traversal Nginx PHP +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

IP header spoofing in GoFiber's BalancerForward proxy middleware allows any remote unauthenticated attacker to inject a forged X-Real-IP header that upstream servers treat as authoritative. The middleware calls Header.Add() rather than Header.Set() when stamping the real client IP, causing the attacker-supplied value to remain as the first header instance - the one read by nginx, Express, Apache, and most HTTP servers for rate limiting, IP-based ACLs, and audit logging. No public exploit has been identified at time of analysis, but exploitation requires only the ability to set an arbitrary HTTP header, making this trivially accessible to any network attacker targeting deployments using the BalancerForward helper.

Authentication Bypass Nginx Node.js +1
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Arbitrary file upload leading to remote code execution in the Divi Form Builder WordPress plugin (versions through 5.1.8) lets unauthenticated attackers upload executable PHP files and run arbitrary code on the server. Attacker-controlled input from the acceptFileTypes POST parameter is interpolated directly into the file-validation regex in do_image_upload(), allowing alternate PHP extensions (.phtml, .phar, .php5, .php7) that evade the plugin's .php-only .htaccess block - and on Nginx the .htaccess protection does not apply at all. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 9.8 rating and Wordfence's technical disclosure make this a high-priority patching target.

WordPress Nginx PHP +3
NVD
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Authentication bypass in Presenton's bundled MCP server exposes server and Docker deployments to unauthenticated remote exploitation via the unprotected /mcp endpoint. When operators configure session authentication using AUTH_USERNAME/AUTH_PASSWORD, nginx enforces access control on all paths except /mcp, which is absent from the auth_request gate - and the MCP server compounds this by auto-minting valid internal session tokens for the configured user on any incoming request. An unauthenticated remote attacker can therefore invoke MCP tools such as generate_presentation as if fully authenticated, consuming the operator's LLM API keys and writing arbitrary presentations to the instance. A publicly available proof-of-concept exists; no active exploitation confirmed in CISA KEV.

Authentication Bypass Nginx Docker +1
NVD GitHub
CVSS 5.3
MEDIUM PATCH This Month

Memory exhaustion in fluent-plugin-opentelemetry versions 0.5.2 and earlier allows unauthenticated remote attackers to crash the Fluentd process by sending an oversized HTTP request body or a decompression bomb to the `in_opentelemetry` HTTP input endpoint (default port 4318). The plugin reads and decompresses the entire payload into memory without enforcing size thresholds, enabling an OOM kill of Fluentd and complete disruption of log collection and forwarding on the affected node. No public exploit code or CISA KEV listing has been identified at time of analysis.

Nginx Denial Of Service
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Denial of service in Fluentd (rubygems package, versions <= 1.19.2) lets remote attackers crash the log collector by sending a gzip decompression bomb to the in_http (default port 9880) or in_forward (default port 24224) plugins. Although Fluentd enforces body_size_limit and chunk_size_limit on the compressed payload, it applies no ceiling on the decompressed output, so a tiny crafted payload expands in memory until the OS OOM-kills the process. No public exploit identified at time of analysis and it is not in CISA KEV, but EPSS-style risk is bounded by the requirement that an input port be reachable from an untrusted network.

Nginx Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

The Kubernetes Ingress NGINX provider in Traefik v3.7.0-ea.1 through v3.7.4 fails open when BasicAuth or DigestAuth cannot be installed because the referenced auth-secret is unresolvable, silently publishing the intended-to-be-protected backend route without any authentication middleware to unauthenticated network clients. Operators who explicitly configure auth via nginx.ingress.kubernetes.io/auth-type and auth-secret annotations are left with a live, fully accessible backend route while Traefik logs a single controller-level error and routes traffic normally - a direct violation of the declared security intent. A detailed proof-of-concept covering eight distinct secret-failure scenarios was developed by the reporter and confirmed on both current master and v3.7.1; no public release of exploit code is confirmed and no CISA KEV listing exists at time of analysis.

Nginx Kubernetes Denial Of Service +3
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Server-Side Request Forgery and arbitrary JavaScript injection in Craft CMS 4.x (before 4.18) and 5.x (before 5.10) allow remote unauthenticated attackers to poison the Host or X-Forwarded-Host header against the /actions/app/resource-js endpoint, forcing the backend Guzzle client to proxy attacker-controlled content as application/javascript. When the instance sits behind a caching layer, this chains into web cache poisoning, stored XSS in the Control Panel, and 1-click RCE via session-riding the plugin install action. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c55v-343g-5xff) provides detailed exploitation mechanics.

SSRF RCE Apache +2
NVD GitHub
CVSS 5.3
MEDIUM PATCH This Month

Path traversal and query-string injection in the OpenTelemetry Collector Contrib Sentry exporter allows any OTLP span sender to redirect the collector's operator bearer token to arbitrary Sentry API endpoints - including privileged admin, organization, and member management endpoints. The vulnerability stems from the `service.name` span attribute being interpolated directly into Sentry API URLs via `fmt.Sprintf` without validation, while the existing `projectSlugRegexp` safeguard is only applied to operator-configured mappings and never to runtime-derived slugs. No CISA KEV listing exists at time of analysis, but the GHSA advisory provides detailed exploitation steps demonstrating both a universally reliable query-string injection vector and a nginx-dependent path traversal vector, with a fixed version available at 0.154.0.

Path Traversal Nginx Kubernetes
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Denial-of-service in F5 NGINX Gateway Fabric allows an authenticated Kubernetes user with rights to create or modify GRPCRoute resources to crash the control plane by submitting GRPCRoute objects containing malformed backendRef filters. The flaw, tracked under CWE-129 (Improper Validation of Array Index), carries a CVSS 4.0 score of 7.1 with pure availability impact and no public exploit identified at time of analysis.

Nginx Information Disclosure Nginx Gateway Fabric
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Configuration injection in F5 NGINX Gateway Fabric allows an authenticated Kubernetes user with permission to create or modify NginxProxy Custom Resource Definitions to inject arbitrary NGINX directives into generated configuration files via the unsanitized access log format setting. The flaw resides in the control plane configuration generator and affects deployments using NGINX Plus or NGINX Open Source as the data plane. There is no public exploit identified at time of analysis, and CVSS 4.0 rates the impact at 8.6 (High) driven by high confidentiality and integrity loss on the vulnerable system.

Nginx Code Injection Nginx Gateway Fabric
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Configuration injection in F5 NGINX Gateway Fabric lets an authenticated Kubernetes user who can create or modify NginxProxy or AuthenticationFilter Custom Resources inject arbitrary NGINX directives into generated data-plane configuration. The flaw lives in the control-plane config generator, which renders the serverTokens and extraAuthArgs fields into NGINX templates without escaping, so any tenant holding RBAC rights over these CRDs can rewrite the NGINX Plus config that gets deployed. There is no public exploit identified at time of analysis and EPSS is low (0.36%), but SSVC rates the technical impact as total.

Nginx Code Injection Nginx Gateway Fabric
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Heap buffer over-read in NGINX Plus and NGINX Open Source's ngx_http_charset_module exposes limited worker process memory or triggers a worker restart when remote unauthenticated attackers send crafted requests against a non-default charset conversion configuration. Exploitation requires both a specific dual-directive configuration (source_charset utf-8 alongside a differing charset directive such as koi8-r in the same location block) and content-dependent conditions outside the attacker's direct control, reflected in the CVSS AC:H rating. No public exploit code exists and this CVE does not appear in the CISA KEV catalog; the vendor F5 has published advisory K000161585 with patched version guidance.

Nginx Information Disclosure Buffer Overflow +4
NVD VulDB
EPSS 1% CVSS 9.2
CRITICAL POC PATCH Act Now

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic upstream when ignore_invalid_headers is off and large_client_header_buffers exceeds 2 MB. Remote unauthenticated attackers sending oversized headers can crash the worker process, and where ASLR is disabled or bypassable, achieve arbitrary code execution. No public exploit identified at time of analysis and CISA SSVC marks exploitation as 'none', but technical impact is rated total.

Nginx Heap Overflow Buffer Overflow +2
NVD VulDB GitHub
EPSS 1% CVSS 9.2
CRITICAL POC PATCH Act Now

Use-after-free in NGINX Open Source's ngx_http_v3_module allows remote unauthenticated attackers to crash worker processes and potentially execute arbitrary code on hosts where HTTP/3 QUIC is enabled. Exploitation requires a specially crafted HTTP/3 session that reopens a QPACK encoder stream, with code execution contingent on ASLR being disabled or bypassed; no public exploit identified at time of analysis, though SSVC technical impact is rated total.

Nginx Use After Free Memory Corruption +2
NVD VulDB GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass in vLLM versions 0.3.0 through 0.21.x allows remote unauthenticated attackers to reach OpenAI-compatible API endpoints without supplying the configured VLLM_API_KEY by injecting URL-special characters into the HTTP Host header. The flaw stems from vLLM's AuthenticationMiddleware reconstructing the request URL via starlette's URL(scope) - which trusts an unsanitized Host value - while FastAPI routing uses the raw HTTP path, producing a mismatch the attacker controls. No public exploit identified at time of analysis, but x41-dsec disclosed full technical details and a vendor-released patch is available in 0.22.0.

Nginx Authentication Bypass Request Smuggling
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Server-side request forgery in Starlette's StaticFiles on Windows allows unauthenticated remote attackers to coerce the application process into making outbound SMB connections to attacker-controlled hosts, leaking the service account's NTLMv2 hash for offline cracking or NTLM relay. The flaw affects all Starlette versions before 1.1.0 (including downstream frameworks like FastAPI) when running on Windows in the default follow_symlink=False configuration, and no public exploit identified at time of analysis though the GHSA advisory provides full technical detail sufficient to reproduce.

Python Nginx Microsoft +1
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request.

Nginx N A Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-tenant container deletion in the Radius Kubernetes controller (versions <= v0.57.1) allows a tenant with Deployment annotation-edit rights to coerce the high-privilege controller into deleting another tenant's container resource by injecting a forged radapp.io/status JSON blob. The flaw is a classic Confused Deputy (CWE-441/CWE-20) that yields an availability-only impact, is most severe in multi-tenant installs, and currently has publicly available exploit code via the GHSA advisory but no public exploit identified at time of analysis in CISA KEV.

Privilege Escalation Nginx Kubernetes
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Sensitive information disclosure in nebula-mesh (all versions ≤ v0.3.1) leaks newly-minted 32-byte operator API bearer tokens into browser URL history, cross-origin Referer headers, and reverse-proxy access logs by embedding the raw token in a 303 redirect query string. Any actor with read access to nginx combined-format logs, CDN logs, or browser history backup storage can harvest the token and impersonate the operator via the API. A secondary CWE-116 flaw in the same handler omits url.QueryEscape on the user-supplied key name, enabling query-string corruption and potential header injection in older proxies. No public exploit identified at time of analysis; a detailed step-by-step reproducer is included in the GitHub Security Advisory GHSA-9pg3-25fq-p6cc. Fix is available in v0.3.2.

Nginx Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Path traversal in Roxy-WI versions 8.2.6.4 and prior allows authenticated remote attackers to read arbitrary configuration files via the config_file_name and configver parameters. The vendor's attempted fix in commit d4d10006 is ineffective due to a logic error - it uses Python tuple-membership instead of substring containment - leaving all realistic '../' payloads unblocked, with no public exploit identified at time of analysis.

Path Traversal Nginx Apache
NVD GitHub
EPSS 0% CVSS 8.3
HIGH This Week

Authentication bypass in Roxy-WI versions 8.2.6.4 and prior allows remote unauthenticated attackers to reach protected API functionality by including the 'api' substring in the URL, with the /api/gpt endpoint specifically exposed without authentication. The flaw carries a CVSS 8.3 with scope change and affects a web management interface for HAProxy, Nginx, Apache, and Keepalived, and no public exploit has been identified at time of analysis. No vendor-released patch exists at time of publication, making this a high-priority issue for any internet-exposed installation.

Authentication Bypass Nginx Apache
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Open redirect in Roxy-WI versions 8.2.6.4 and prior allows unauthenticated remote attackers to silently redirect authenticated users to attacker-controlled domains by exploiting a bypass in the login flow's URL filter. The filter blocks `next` parameter values containing `http://` or `https://` substrings but does not account for RFC-3986 userinfo@host syntax; submitting `next=@evil.example/path` causes the server to construct `https://victim.example@evil.example/path`, which modern browsers route to `evil.example`. No public exploit code has been identified at time of analysis, no patch is available, and this vulnerability is not listed in CISA KEV.

Nginx Open Redirect Apache
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Path traversal bypass in Roxy-WI versions 8.2.6.4 and earlier allows authenticated remote attackers to escape input sanitization in the EscapedString Pydantic validator and inject shell metacharacters alongside '..' sequences. The flaw stems from a flawed if/elif/elif/else control flow that strips metacharacters without re-enforcing the '..' block, and the result is never shlex-quoted before reaching downstream command contexts. No public exploit identified at time of analysis, and no vendor-released patch identified at time of analysis.

Information Disclosure Nginx Apache
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated command injection in Roxy-WI versions 8.2.6.4 and prior allows low-privileged users (role <= 3, 'user') to execute arbitrary OS commands by abusing the configver URL-path parameter on POST /config/versions/<service>/<server_ip>/<configver>/save, which flows unsanitized into an os.system() call wrapping dos2unix. No public exploit identified at time of analysis, but the GHSA advisory is published and no vendor patch exists, leaving exposed instances at immediate risk of full compromise of the management interface host.

Command Injection Nginx Apache
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Roxy-WI 8.2.6.4 and prior exposes a broken object-level authorization flaw in its audit history endpoint, allowing any authenticated user to read any other user's full action audit trail. The GET /history/user/<server_ip> endpoint conflates the server_ip path parameter with a user identifier and performs no authorization check, meaning a guest account in an unrelated group can enumerate administrators' operational history including server IPs touched, configs deployed, and services restarted. No patch is available at time of publication; no public exploit code or active exploitation has been identified.

Authentication Bypass Nginx Apache
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

{version,uptime,status,checks}/<server_ip>` route family passes the Flask URL path parameter directly into a Python `requests.get()` call without any allowlist or blocklist validation, making IPv4 literals such as 169.254.169.254, RFC1918 ranges, and 127.0.0.1 all valid targets. No publicly available patches exist at time of analysis, and no public exploit code or CISA KEV listing has been identified.

Python Nginx SSRF +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored cross-site scripting in Roxy-WI 8.2.6.4 and prior allows any unauthenticated remote attacker who can send HTTP requests to a managed HAProxy or Nginx load balancer to inject malicious payloads into server access logs, which then execute in the browser of any Roxy-WI administrator who opens the log viewer. The vulnerability stems from unsanitized HTML concatenation in the Python backend combined with unsafe jQuery .html()/.append() rendering on the frontend - a classic stored XSS with a changed scope (S:C) because the attacker's input, written via the load balancer, achieves code execution in the privileged admin web UI context. No publicly available patches exist at time of analysis; no public exploit code or CISA KEV listing has been identified.

XSS Nginx Apache
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

LDAP injection in Roxy-WI 8.2.6.4 and prior exposes LDAP directory attributes to authenticated administrators who can manipulate search filter logic via the username URL path parameter. The vulnerable function get_ldap_email (app/modules/roxywi/user.py:120-157) constructs LDAP queries through unsanitized f-string concatenation, enabling injection of additional filter clauses such as *)(mail=*)(cn=* to enumerate or harvest attributes beyond the intended user record. No patch is available at time of publication, and no public exploit identified at time of analysis.

Code Injection Nginx Apache +1
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated low-privilege users (role ≤ 3) to inject arbitrary HAProxy directives via unvalidated JSON option fields in the HAProxy section-save API endpoints, achieving command execution as the haproxy user on every managed load balancer. No public exploit has been identified at time of analysis, but the attack is straightforward given the documented injection path through the section.j2, global.j2, and defaults.j2 Ansible templates, and no vendor-released patch is available.

RCE Nginx Apache
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated users to write attacker-controlled content to arbitrary absolute paths on managed load balancers via the WAF rule save endpoint. By dropping a malicious cron file (e.g., /etc/cron.d/nginx_cfg_evil), an attacker achieves root-level code execution on every load balancer in the caller's group. No public exploit identified at time of analysis, and no vendor-released patch is currently available, making this a high-priority issue for any exposed deployment.

Information Disclosure Nginx Apache
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Cross-tenant data tampering in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user to silently overwrite HTTP, TCP, Ping, and DNS monitoring checks belonging to other tenants by sending a crafted PUT /smon/check request with another tenant's smon_id. The flaw stems from missing user_group authorization on the UPDATE SQL path (CWE-639, IDOR), while the DELETE path is correctly filtered - confirming the maintainers knew the right pattern but failed to apply it on update. No public exploit identified at time of analysis, and no vendor-released patch is available, raising operational risk for multi-tenant deployments.

Authentication Bypass Nginx Apache
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Week

Privilege escalation in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - including the lowest-privilege 'guest' role 4 - to start, stop, or restart the roxy-wi-smon-agent systemd unit on arbitrary managed servers, with the action executing as root via Roxy-WI's passwordless sudo SSH credentials. The flaw stems from missing role and group-ownership checks on the agent_action endpoint, and no public exploit has been identified at time of analysis though the vulnerability is trivially reachable once an account exists.

Authentication Bypass Nginx Apache
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privilege escalation and cross-tenant compromise in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - including the default guest role 4 - to install or reconfigure exporters, WAF, and GeoIP databases on every managed server regardless of tenant ownership. Because the affected installer endpoints lack role and group decorators, low-privilege users can pivot through stored SSH credentials with sudo to achieve root-level command execution on HAProxy/Nginx/Apache hosts belonging to other tenants. No public exploit identified at time of analysis, but the issue is unpatched and rated CVSS 9.9.

Authentication Bypass Nginx Apache
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authenticated remote code execution in Nginx Proxy Manager versions 2.9.14 through 2.15.1 allows users holding the certificates:manage permission to inject arbitrary OS commands via the dns_provider_credentials field, which executes on backend restart as the service account. No public exploit has been identified at time of analysis, but the vendor patch (commit a5db5ed) and a VulnCheck advisory disclose the exact sink (child_process.exec in setupCertbotPlugins), making weaponization straightforward. CVSS 7.5 (AV:N/AC:H/PR:L) reflects the authentication and timing prerequisites rather than reduced impact - successful exploitation yields full code execution on the proxy host.

RCE Nginx Command Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Password reset token enumeration in FOSSBilling prior to 0.8.0 exposes three authentication endpoints - including the elevated-privilege admin reset at `/staff/email/:hash` - to unlimited brute-force guessing due to a rate limiter architecturally scoped exclusively to `/api/*` routes. The confirmation endpoint acts as a CWE-204 oracle, returning distinguishable HTTP responses (200 for valid tokens, 302 redirect for invalid), allowing an unauthenticated remote attacker to probe token validity without throttling, lockout, or attempt counting. Practical exploitation risk is substantially reduced by 256-bit token entropy (`hash('sha256', random_bytes(32))`) combined with a 15-minute expiry window, which is accurately reflected in the CVSS 4.0 AC:H/AT:P scoring; no public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Oracle Apache +2
NVD GitHub
EPSS 0%
CRITICAL PATCH Act Now

YAML injection in Jupyter Enterprise Gateway prior to 3.3.0 allows attackers controlling KERNEL_* environment variables submitted via the /api/kernels endpoint to manipulate Kubernetes manifest rendering, escalating to privileged pod creation and full cluster compromise. The Jinja2 template at kernel-pod.yaml.j2 interpolates untrusted values without YAML-aware escaping, allowing both key overwrites (e.g., securityContext) and multi-document YAML injection to spawn arbitrary Pods, Secrets, PVCs, PVs, Services, and ConfigMaps. A detailed proof-of-concept is published in the GHSA advisory, though no CISA KEV listing or in-the-wild exploitation has been confirmed at time of analysis.

Kubernetes Nginx RCE
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of service in Apache HTTP Server 2.4.17 through 2.4.67 (via the bundled mod_http2 module) allows remote unauthenticated attackers to exhaust server memory by sending crafted HTTP/2 requests whose cookie headers are not correctly counted against LimitRequestFields. Publicly available exploit code exists and a third-party write-up describes a 'hidden HTTP/2 bomb,' but EPSS exploitation probability is currently very low (0.02%, 5th percentile) and the CVE is not on the CISA KEV list.

Apache Denial Of Service Http Server +2
NVD GitHub VulDB
EPSS 0% CVSS 2.9
LOW PATCH Monitor

Brute force regulation bypass in Authelia's Basic Auth flow (versions 4.38.0-4.39.19) allows unauthenticated remote attackers to partially circumvent account lockout controls by submitting login attempts using case variants of a target username (e.g., 'john', 'John', 'JOHN'). Because Authelia passes the raw Authorization header username to the regulation system without canonicalization, and LDAP backends treat these as the same identity while the regulation SQL queries treat them as distinct, each casing variant occupies a separate ban bucket - multiplying the effective attempt quota before lockout triggers. No public exploit identified at time of analysis, and the CVSSv4 weighted score of 2.9 (Low) reflects the narrow exploitation conditions required and the lack of attacker feedback during exploitation.

Information Disclosure Nginx
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated backup file disclosure in Suprema BioStar 2 server (versions 2.9.3 through 2.9.11) allows remote attackers to download sensitive backup ZIP archives directly via predictable '/download/' URLs when the administrator places the backup path inside the NGINX webroot. The exposed archives can contain database credentials and cryptographic material enabling server impersonation, database compromise, and lateral movement. No public exploit identified at time of analysis, but SSVC rates the flaw as automatable with total technical impact and CVSS 4.0 scores it 10.0.

Authentication Bypass Nginx
NVD
EPSS 0%
HIGH PATCH This Week

Arbitrary file write in the compliance-trestle Python library (versions 4.0.0-4.0.2 and any release below 3.12.2) lets an attacker who controls a referenced OSCAL artifact plant attacker-supplied content anywhere the trestle process can write. The HTTPSFetcher and SFTPFetcher cache layer builds the local cache file path directly from the URL path component, so when trestle imports a remote OSCAL profile whose href contains `../` traversal the fetched HTTP/SFTP response body escapes the .trestle cache directory; overwriting files such as /etc/cron.d entries, ~/.ssh/authorized_keys, or a module on sys.path turns the primitive into code execution. A reproducible public proof-of-concept exists in the GHSA advisory (GHSA-g3vg-vx23-3858); the flaw is not listed in CISA KEV and no CVSS or EPSS scoring is provided, but the maintainers have shipped fixes in 4.0.3 and 3.12.2.

IBM RCE Python +2
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Command injection in Atril (MATE document viewer) and related forks Evince/Xreader allows attackers to execute arbitrary shell commands when a victim opens a maliciously crafted document. The fix, shipped in Atril 1.26.3 and 1.28.4, quotes user-supplied strings passed to the ev_spawn command line, indicating unsanitized input was being interpolated into a spawned subprocess. No public exploit identified at time of analysis, but disclosure on oss-security and Debian LTS advisories suggests Linux desktop distributions are actively patching.

Command Injection Nginx Apache
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL POC PATCH Act Now

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated remote attackers sending crafted HTTP requests that target rewrite directives using overlapping PCRE captures (e.g., $1$2 referencing ^/((.*))$) in redirect or arguments contexts. Impact ranges from worker process crash/restart to arbitrary code execution where ASLR is disabled or bypassed; publicly available exploit code exists, though EPSS exploitation probability is low (0.15%, 35th percentile) and the issue is not in CISA KEV.

Buffer Overflow Nginx Heap Overflow +2
NVD VulDB GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Heap buffer overflow in F5 NGINX JavaScript (njs) module versions 0.9.4 through 0.9.8 allows unauthenticated remote attackers to crash NGINX worker processes, with potential remote code execution on hosts where ASLR is disabled. Exploitation requires the deployment to use the js_fetch_proxy directive with at least one client-controlled NGINX variable (such as $http_*, $arg_*, or $cookie_*) and a location that invokes ngx.fetch(). No public exploit identified at time of analysis, but a vendor patch is available and the CVSS 4.0 base score of 9.2 reflects the high impact across confidentiality, integrity, and availability.

RCE Buffer Overflow Nginx +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in AVideo streaming platform allows authenticated users with streaming privileges to execute arbitrary OS commands through shell metacharacter injection in the Live plugin. The vulnerability exists in the on_publish.php webhook endpoint which builds shell commands using unsafe string concatenation instead of proper escaping, allowing attackers to inject commands via specially crafted stream keys containing single quotes. While the CVSS indicates low privileges required (authenticated users with canStream permission), the impact is severe as it grants full web server user access.

Command Injection Apache Nginx +2
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Token leakage in Portainer's authentication middleware allows JWT bearer tokens passed via the `?token=<JWT>` URL query parameter to be harvested from reverse-proxy access logs, browser history, and HTTP Referer headers, enabling account takeover for the validity window of the token (default 8 hours). The flaw affected any user with container exec/attach rights - not just administrators - and a leaked admin token grants full control of Portainer and every managed Docker/Kubernetes environment. No public exploit identified at time of analysis, though the underlying behavior was present since JWT auth was introduced and the GitHub Security Advisory provides sufficient detail to weaponize.

Kubernetes Docker Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Fleet instances fail to validate the origin of client IP headers (True-Client-IP, X-Real-IP, X-Forwarded-For) before using them for API rate limiting, allowing unauthenticated attackers to bypass per-IP brute-force protections on sensitive endpoints such as login by rotating header values across requests. This vulnerability primarily affects Fleet deployments directly exposed to the internet without a reverse proxy that overwrites forwarded headers; instances behind properly configured proxies or WAFs have reduced exposure.

Authentication Bypass Nginx
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

NGINX Open Source configured to proxy HTTP/2 traffic with proxy_http_version set to 2 combined with proxy_set_body allows remote unauthenticated attackers to inject frame headers and payload bytes to upstream peers, enabling potential header injection or request manipulation attacks. The vulnerability affects default configurations without requiring authentication or user interaction, with CVSS 5.8 indicating moderate integrity impact across networked systems. No public exploit code or active exploitation has been confirmed at this time.

Code Injection Nginx Nginx Open Source
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

NGINX Plus and NGINX Open Source configured with the HTTP/3 QUIC module allows unauthenticated remote attackers to spoof source IP addresses, enabling bypass of authorization checks and rate-limiting controls. The vulnerability affects both commercial and open-source variants when QUIC is explicitly enabled, with patches available from F5.

Authentication Bypass Nginx Nginx Plus +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle position between NGINX and upstream servers to read worker process memory or crash the service. Affects both NGINX Open Source and NGINX Plus when scgi_pass or uwsgi_pass directives are configured. The vulnerability requires network positioning between NGINX and its backend servers (AV:N with AT:P - Present attack complexity), making exploitation dependent on network architecture. No public exploit identified at time of analysis. CVSS 8.3 (High) reflects potential for confidential data exposure but limited by MITM prerequisite.

Information Disclosure Nginx Nginx Plus +1
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Heap buffer over-read in NGINX's ngx_http_charset_module allows unauthenticated remote attackers to leak sensitive memory or crash worker processes when specific configuration directives (charset, source_charset, charset_map, and proxy_pass with buffering disabled) are combined. The vulnerability requires attacker-controlled conditions that depend on factors outside the attacker's control, limiting exploitability but creating real risk for affected deployments. CVSS 4.8 reflects the conditional nature of exploitation and limited scope of impact (information disclosure or availability).

Information Disclosure Buffer Overflow Nginx +2
NVD VulDB
EPSS 0% 5.3 CVSS 9.2
CRITICAL POC PATCH Act Now

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker processes and potentially execute code on systems without ASLR. The vulnerability requires specific rewrite directive configurations using PCRE captures with question marks in replacement strings, combined with attacker-crafted HTTP requests and conditions beyond the attacker's control. F5 has released patches addressing this critical flaw. EPSS data unavailable; no KEV listing or public exploit identified at time of analysis, though the specific configuration requirements and dependency on external conditions likely limit widespread exploitation despite the 9.2 CVSS score.

Heap Overflow RCE Buffer Overflow +3
NVD GitHub VulDB HeroDevs
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Heap-use-after-free in NGINX Plus and NGINX Open Source allows unauthenticated remote attackers to trigger memory corruption in the worker process when ssl_verify_client is set to 'on' or 'optional' and ssl_ocsp is configured with a resolver. Exploitation can cause limited information disclosure or worker process restart, with CVSS 4.8 reflecting moderate impact constrained by high attack complexity. No public exploit code or active exploitation has been identified at time of analysis.

Information Disclosure Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection. A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement. This issue affects bandit: from 1.6.1 before 1.11.1.

Denial Of Service Nginx
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator) uses a rule any of @verifySSN, @verifyCPF, or @verifySVNR. This vulnerability is fixed in 3.0.15.

Integer Overflow Apache Information Disclosure +3
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Week

Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network segmentation and enabling access to services bound to localhost or internal networks.

SSRF Nginx
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through specific nginx configuration scenarios to achieve code execution, and this issue is not mitigated by the SPIP security screen.

Nginx Code Injection RCE
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

HTTP request smuggling in Netty's netty-codec-http (HttpObjectDecoder) lets remote attackers desynchronize message boundaries by sending an HTTP/1.0 request carrying both Transfer-Encoding: chunked and Content-Length. Netty's anti-smuggling sanitization that strips the conflicting Content-Length header only runs for HTTP/1.1, so on HTTP/1.0 Netty parses the body as chunked while leaving Content-Length intact for any downstream Content-Length-first proxy, which then treats trailing chunk bytes as a new request. Publicly available exploit code exists (a working EmbeddedChannel PoC test), but EPSS is very low (0.03%, 8th percentile) and it is not in CISA KEV.

Authentication Bypass Request Smuggling Java +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

DNS rebinding in rmcp Rust crate allows malicious websites to control local MCP servers and achieve arbitrary code execution through exposed developer tools. Fixed in version 1.4.0 via Host header validation with loopback-only default allowlist. The vulnerability affects Streamable HTTP server transport only (stdio and child-process transports unaffected). Vendor-released patch available (PR #764, commit 8e22aa2). Similar vulnerabilities patched across TypeScript, Python, Go, and Java MCP SDKs indicate coordinated disclosure. CVSS 8.8 (network vector, low complexity, requires user interaction) reflects browser-mediated attack requiring victim to visit attacker site.

Python RCE Java +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated information disclosure in AVideo CloneSite plugin (versions ≤29.0) leaks the installation's shared secret authentication key through an error message, enabling attackers to impersonate the victim installation to its federated clone server and trigger a full database dump into a publicly accessible directory. The vulnerability chains two flaws: cloneClient.json.php echoes the local myKey credential in HTTP responses to any unauthenticated request due to incorrect $argv handling in web contexts, and the remote cloneServer.json.php then accepts this leaked key to authenticate mysqldump operations without IP restrictions or access controls on the resulting dump files. Patch available via GitHub commit e6566f56. No evidence of active exploitation (not in CISA KEV); EPSS data not provided. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact from direct credential exposure plus cross-site database access in federated deployments.

PHP Information Disclosure Nginx
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Worker process crashes occur in ModSecurity (libmodsecurity3) when processing query string parameters containing single characters through the t:hexDecode transformation function. Remote unauthenticated attackers can trigger repeated segmentation faults to disrupt web application firewall protection, though service automatically recovers once the attack ceases. All libmodsecurity3 versions before 3.0.15 are affected across Apache, IIS, and Nginx deployments. OWASP confirmed the vulnerability via GitHub security advisory GHSA-qrjc-3jpc-3h2g and released patch version 3.0.15 addressing this buffer overflow (CWE-125: Out-of-bounds Read).

Suse Denial Of Service Apache +4
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Password reset poisoning in AzuraCast versions ≤0.23.5 allows remote attackers to achieve full account takeover via client-supplied X-Forwarded-Host header injection. The ApplyXForwarded middleware lacks trusted proxy validation, enabling unauthenticated attackers to poison password reset URLs sent to victims. When victims click the poisoned link, their reset token is exfiltrated to attacker-controlled infrastructure. The attacker then redeems the token on the legitimate instance to reset the victim's password and unconditionally destroy their 2FA configuration, bypassing multi-factor authentication protections. Vendor-confirmed patch released in version 0.23.6. No public exploit identified at time of analysis. CVSS 8.1 reflects network attack vector with user interaction required (clicking email link). The vulnerability is limited to deployments using the default Docker configuration with nginx+PHP-FPM where fastcgi_pass forwards client headers unfiltered.

Docker CSRF PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Remote code execution as root in nginx-ui versions before 2.3.8 via unauthenticated backup restore within 10-minute startup window. Attackers exploit the completely unauthenticated /api/restore endpoint during initial installation to upload malicious backup archives that overwrite app.ini configuration with injected OS commands in TestConfigCmd setting. After automatic application restart, command injection triggers with privileges of the nginx-ui process - typically root in Docker deployments. EPSS data not available; no active exploitation reported but publicly disclosed via GitHub Security Advisory GHSA-4pvg-prr3-9cxr. Patch released in version 2.3.8.

Command Injection Nginx RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

nginx-ui versions prior to 2.3.8 expose 40+ protected configuration fields through the GetSettings API to authenticated users, including JwtSecret (auth token forgery), NodeSecret (cluster impersonation), and OIDC ClientSecret (OAuth takeover). The protected tag is enforced only during writes but completely ignored during reads, allowing authenticated attackers to extract sensitive secrets and IP whitelist configurations without requiring additional privileges or user interaction.

Information Disclosure Nginx
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated bootstrap takeover in nginx-ui 2.3.5 allows remote attackers to hijack the initial installation process via crafted POST requests to /api/install endpoint. An attacker who successfully exploits the installation window gains full administrative control over the nginx-ui instance before legitimate administrators complete setup. No vendor-released patch identified at time of analysis, creating extended exposure risk for newly deployed instances.

Authentication Bypass Nginx
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Unauthenticated attackers can hijack the administrator account during nginx-ui's first-run installation window by claiming the /api/install endpoint before legitimate operators. This race-condition vulnerability in nginx-ui versions 2.0.0 through 2.3.7 bypasses authentication controls entirely, allowing complete instance takeover with attacker-controlled credentials. The request-encryption mechanism protects only transit confidentiality, not authorization. Attack complexity is rated HIGH due to the narrow time window between deployment and legitimate setup completion. EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis, but exploitation requires only standard HTTP tools and timing.

Authentication Bypass Nginx
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

nginx-ui prior to version 2.3.8 exposes sensitive configuration values including node.secret via an authenticated GET /api/settings endpoint, allowing an authenticated user to retrieve the shared authentication secret and subsequently impersonate the init administrative user by sending requests with the stolen node.secret via the X-Node-Secret header or node_secret query parameter. This enables privilege escalation and full administrative access to the Nginx configuration interface without additional authentication.

Information Disclosure Nginx
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Plack::Middleware::XSendfile through version 1.0053 allows remote unauthenticated attackers to read arbitrary files from nginx-proxied servers by injecting malicious X-Sendfile-Type and X-Accel-Mapping headers. When the middleware's sendfile type is not explicitly configured, clients can force nginx's X-Accel-Redirect mode and manipulate path mappings to access sensitive files outside intended directories. The middleware has been deprecated as of version 1.0053 and will be removed in future Plack releases. EPSS score of 0.01% suggests low current exploitation activity despite the high CVSS 9.1 rating. No public exploit code identified at time of analysis, though the attack technique mirrors the documented CVE-2025-61780 vulnerability in Rack::Sendfile.

Information Disclosure Nginx
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Authentication bypass in Traefik's ForwardAuth middleware allows remote attackers to spoof the X-Forwarded-Prefix header and gain unauthorized access to protected backend routes when deployed behind trusted upstream proxies. Despite trustForwardHeader=false configuration, Traefik fails to sanitize attacker-controlled X-Forwarded-Prefix values in authentication subrequests, enabling attackers to impersonate trusted path prefixes (e.g., /admin) and bypass authorization checks in the authentication service. The vulnerability affects Traefik v2.x and v3.x series and is confirmed patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. No KEV listing or EPSS data available at time of analysis, but a detailed proof-of-concept with complete Docker reproduction environment is publicly available in the GitHub advisory, significantly lowering exploitation complexity for attackers.

Docker Nginx Authentication Bypass +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Attackers can forge Stripe webhook events to obtain unlimited API quota without payment in QuantumNous new-api (Go package github.com/QuantumNous/new-api). The vulnerability exploits an empty default webhook secret that allows HMAC signature forgery, missing payment status validation, and cross-gateway order fulfillment logic that permits completing orders created through any payment provider (Epay, Creem, Waffo) via fabricated Stripe callbacks. Virtually all deployments with any payment method enabled are vulnerable in default configuration. Fixed in version 0.12.10. No public exploit code identified at time of analysis, but the detailed advisory includes a proof-of-concept pseudocode demonstrating the attack chain. CVSS 7.1 (High) with low attack complexity and low privileges required indicates practical exploitation risk for deployed instances.

Google Nginx Python +1
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Command injection in Roxy-WI versions prior to 8.2.6.4 enables authenticated attackers to execute arbitrary OS commands with sudo privileges on managed servers. The vulnerability stems from unsanitized input in the /config/<service>/find-in-config endpoint that breaks out of grep command context during remote SSH execution. A proof-of-concept exploit exists (CVSS E:P), and the CVSS 4.0 score of 7.4 reflects network-based attack with low complexity requiring only low-privilege authentication. Vendor-released patch 8.2.6.4 available via GitHub commit 02f147d.

RCE Nginx Command Injection +1
NVD GitHub
EPSS 0% CVSS 8.9
HIGH PATCH This Week

SQL injection in Roxy-WI versions before 8.2.6.4 allows remote unauthenticated attackers to execute arbitrary SQL commands via the server_ip parameter in the haproxy_section_save function. The vulnerability stems from unsanitized URL path parameters being directly interpolated into SQL queries using Python string formatting. Proof-of-concept code exists (CVSS E:P), and the CVSS 4.0 score of 8.9 with network vector (AV:N), low complexity (AC:L), and no authentication (PR:N) indicates a critical, easily exploitable vulnerability. Vendor-released patch available in version 8.2.6.4.

Nginx SQLi Python +1
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Arbitrary file read in Roxy-WI versions before 8.2.6.4 allows unauthenticated remote attackers to access sensitive files on the server via path traversal in the oldconfig parameter of the haproxy_section_save interface. This CVSS:4.0 vector indicates zero attack complexity and no prerequisites, enabling trivial exploitation to exfiltrate configuration files, credentials, or private keys. GitHub Security Advisory confirms the vulnerability with proof-of-concept exploitation status (E:P), representing immediate risk for exposed Roxy-WI management interfaces.

Nginx Apache Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Remote code execution in Roxy-WI versions before 8.2.6.4 allows unauthenticated attackers to write malicious code into scheduled tasks via path traversal in the haproxy_section_save interface. The vulnerability chains CWE-22 path traversal with cron job manipulation, enabling arbitrary command execution on servers managing HAProxy, Nginx, Apache, and Keepalived infrastructure. CVSS 8.9 with network attack vector and no privileges required indicates critical risk, though EPSS data and KEV status are unavailable to confirm active exploitation.

RCE Nginx Apache +1
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

LDAP injection in Roxy-WI web management interface (all versions through 8.2.8.2) allows complete authentication bypass when LDAP authentication is enabled. Unauthenticated remote attackers can inject LDAP filter metacharacters into the username field to manipulate directory queries and access the application without valid credentials. Proof-of-concept code exists (CVSS:4.0 E:P). No vendor patch available at time of publication, affecting production deployments managing Haproxy, Nginx, Apache, and Keepalived infrastructure.

Apache Authentication Bypass Nginx
NVD GitHub
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy