Skip to main content

Nginx

375 CVEs vendor

Monthly

CVE-2025-24514 Go HIGH POC PATCH THREAT CERT-EU Act Now

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 23.0%.

Nginx RCE Kubernetes Red Hat Suse
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
23.0%
Threat
4.0
CVE-2025-24513 Go MEDIUM PATCH This Month

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature,. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Nginx Kubernetes Path Traversal Denial Of Service Red Hat +1
NVD GitHub
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-1974 Go CRITICAL POC PATCH THREAT CERT-EU Act Now

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access to achieve arbitrary code execution in the controller context. Dubbed 'IngressNightmare', this flaw exposes cluster Secrets including TLS certificates and service account tokens accessible to the ingress controller.

Nginx RCE Kubernetes Red Hat Suse
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
90.3%
Threat
6.2
CVE-2025-1098 Go HIGH POC PATCH THREAT CERT-EU Act Now

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress annotations. Attackers can inject arbitrary NGINX configuration directives that lead to code execution in the ingress controller context, exposing cluster Secrets. This is a companion vulnerability to CVE-2025-1974 (IngressNightmare).

Nginx RCE Kubernetes Red Hat Suse
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
49.9%
Threat
4.8
CVE-2025-1097 Go HIGH POC PATCH THREAT CERT-EU Act Now

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 20.8%.

Nginx RCE Kubernetes Red Hat Suse
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
20.8%
CVE-2025-1695 MEDIUM This Month

In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Java Denial Of Service Nginx Unit
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2022-49698 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: netfilter: use get_random_u32 instead of prandom bh might occur while updating per-cpu rnd_state from user context, ie. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Nginx Linux Information Disclosure Linux Kernel Red Hat +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-13869 HIGH POC PATCH THREAT Act Now

The Migration, Backup, Staging - WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.7%.

Nginx File Upload Apache RCE WordPress +1
NVD GitHub
CVSS 3.1
7.2
EPSS
10.7%
CVE-2025-23419 MEDIUM PATCH This Month

When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx Authentication Bypass Nginx Plus Debian Linux Red Hat +1
NVD
CVSS 4.0
5.3
EPSS
3.8%
CVE-2025-23001 MEDIUM This Month

A Host header injection vulnerability exists in CTFd 3.7.5, due to the application failing to properly validate or sanitize the Host header. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Nginx
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2025-23776 MEDIUM This Month

Missing Authorization vulnerability in Thorn Technologies LLC Cache Sniper for Nginx allows Exploiting Incorrectly Configured Access Control Security Levels.0.4.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Nginx
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-56236 MEDIUM This Month

Missing Authorization vulnerability in Jakob Bouchard Hestia Nginx Cache allows Exploiting Incorrectly Configured Access Control Security Levels.4.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Nginx
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-53991 MEDIUM POC THREAT This Month

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Nginx Discourse
NVD GitHub
CVSS 3.1
5.9
EPSS
25.4%
CVE-2024-10590 HIGH This Week

The Opt-In Downloads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the admin_upload() function in all versions up to, and including, 4.07. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress Nginx File Upload
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-10318 MEDIUM This Month

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Nginx Nginx Api Connectivity Manager Nginx Ingress Controller +2
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2024-21510 Ruby MEDIUM PATCH This Month

Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Open Redirect Nginx
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2024-49368 HIGH POC THREAT This Week

Nginx UI is a web user interface for the Nginx web server. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Nginx Nginx Ui
NVD GitHub
CVSS 4.0
8.9
EPSS
23.5%
CVE-2024-49367 MEDIUM This Month

Nginx UI is a web user interface for the Nginx web server. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Path Traversal Nginx Nginx Ui
NVD GitHub
CVSS 4.0
5.5
EPSS
0.6%
CVE-2024-49366 HIGH POC This Week

Nginx UI is a web user interface for the Nginx web server. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Nginx Nginx Ui
NVD GitHub
CVSS 4.0
7.7
EPSS
0.6%
CVE-2024-46257 MEDIUM POC PATCH This Month

A Command injection vulnerability in requestLetsEncryptSslWithDnsChallenge in NginxProxyManager 2.11.3 allows an attacker to achieve remote code execution via Add Let's Encrypt Certificate. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Command Injection RCE Nginx Nginx Proxy Manager
NVD GitHub
CVSS 3.1
6.3
EPSS
1.3%
CVE-2024-45614 Ruby MEDIUM PATCH This Month

Puma is a Ruby/Rack web server built for parallelism. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Nginx Puma
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2024-43804 HIGH POC This Week

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Apache Command Injection Nginx Roxy Wi
NVD GitHub
CVSS 3.1
8.8
EPSS
2.6%
CVE-2024-7634 MEDIUM This Month

NGINX Agent's "config_dirs" restriction feature allows a highly privileged attacker to gain the ability to write/overwrite files outside of the designated secure directory. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Nginx Nginx Agent Nginx Instance Manager
NVD
CVSS 4.0
6.9
EPSS
0.5%
CVE-2024-7646 Go HIGH This Week

A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation validation to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Nginx Kubernetes
NVD GitHub
CVSS 3.1
8.8
EPSS
27.0%
CVE-2024-39792 HIGH This Week

When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory resource utilization. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Plus
NVD
CVSS 4.0
8.7
EPSS
0.6%
CVE-2024-41668 HIGH This Week

The cBioPortal for Cancer Genomics provides visualization, analysis, and download of large-scale cancer genomics data sets. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Nginx
NVD GitHub
CVSS 3.1
8.3
EPSS
0.6%
CVE-2024-39935 HIGH PATCH This Week

jc21 NGINX Proxy Manager before 2.11.3 allows backend/internal/certificate.js OS command injection by an authenticated user (with certificate management privileges) via untrusted input to the DNS. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Command Injection Nginx Nginx Proxy Manager
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2024-3149 HIGH POC PATCH This Week

A Server-Side Request Forgery (SSRF) vulnerability exists in the upload link feature of mintplex-labs/anything-llm. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Nginx Anythingllm
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-1076 MEDIUM POC This Month

The SSL Zen WordPress plugin before 4.6.0 does not properly prevent directory listing of the private keys folder, as it only relies on the use of .htaccess to prevent visitors from accessing the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Nginx Ssl Zen
NVD WPScan
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-27306 PyPI MEDIUM PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Nginx Python Aiohttp Fedora
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2024-1521 MEDIUM This Month

The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an SVGZ file uploaded via the Form widget in all versions up to, and including, 3.20.1 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx XSS WordPress Apache Elementor Pro +1
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-28101 Cargo HIGH PATCH This Week

The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Nginx Apollo Router
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-24827 HIGH PATCH This Week

Discourse is an open source platform for community discussion. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Nginx Denial Of Service Discourse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-24562 MEDIUM PATCH This Month

vantage6-UI is the official user interface for the vantage6 server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Resource to Wrong Sphere vulnerability could allow attackers to access resources from an unintended security context.

Docker Information Disclosure Nginx Vantage6 Ui
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-26615 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix illegal rmb_desc access in SMC-D connection dump A crash was found when dumping SMC-D connections. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference Nginx Denial Of Service Linux Linux Kernel
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2024-24990 HIGH This Week

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Nginx Memory Corruption Nginx Open Source +1
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2024-24989 HIGH This Week

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Nginx Denial Of Service Nginx Open Source Nginx Plus
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2024-22200 MEDIUM PATCH This Month

vantage6-UI is the User Interface for vantage6. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Docker Information Disclosure Nginx Vantage6 Ui
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-23828 Go HIGH PATCH This Week

Nginx-UI is a web interface to manage Nginx configurations. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Ui
NVD GitHub
CVSS 3.1
8.8
EPSS
1.1%
CVE-2024-23827 Go CRITICAL PATCH Act Now

Nginx-UI is a web interface to manage Nginx configurations. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Nginx Nginx Ui
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2023-50919 CRITICAL POC THREAT Emergency

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 52.3%.

Authentication Bypass Nginx Gl Ax1800 Firmware Gl Axt1800 Firmware Gl Mt3000 Firmware +9
NVD GitHub
CVSS 3.1
9.8
EPSS
52.3%
Threat
5.0
CVE-2024-22198 Go HIGH POC PATCH THREAT GHSA This Month

Nginx-UI is a web interface to manage Nginx configurations. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 16.0%.

Privilege Escalation Command Injection Information Disclosure Nginx RCE +1
NVD GitHub
CVSS 3.1
7.1
EPSS
16.0%
CVE-2024-22196 Go HIGH POC PATCH GHSA This Month

Nginx-UI is an online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Nginx SQLi Nginx Ui
NVD GitHub
CVSS 3.1
7.0
EPSS
0.7%
CVE-2024-22197 Go HIGH POC PATCH GHSA This Month

Nginx-ui is online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Privilege Escalation Command Injection Information Disclosure Nginx RCE +1
NVD GitHub
CVSS 3.1
7.7
EPSS
3.1%
CVE-2023-47106 Go MEDIUM POC PATCH This Month

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Nginx Traefik
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-5044 Go HIGH PATCH This Week

Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Kubernetes Code Injection Nginx Ingress Nginx
NVD GitHub
CVSS 3.1
8.8
EPSS
56.6%
CVE-2023-5043 Go HIGH PATCH This Week

Ingress nginx annotation injection causes arbitrary command execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Nginx Ingress Nginx
NVD GitHub
CVSS 3.1
8.8
EPSS
2.2%
CVE-2023-44388 HIGH This Week

Discourse is an open source platform for community discussion. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Nginx Discourse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-45132 CRITICAL PATCH Act Now

NAXSI is an open-source maintenance web application firewall (WAF) for NGINX. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Nginx Naxsi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-42457 PyPI HIGH PATCH This Week

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Apache Denial Of Service Nginx Rest
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-4335 HIGH This Week

Broadcom RAID Controller Web server (nginx) is serving private server-side files without any authentication on Linux. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Broadcom Authentication Bypass Raid Controller Web Interface
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-4334 HIGH This Week

Broadcom RAID Controller Web server (nginx) is serving private files without any authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Broadcom Authentication Bypass Raid Controller Web Interface
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-36809 PyPI MEDIUM POC PATCH This Month

Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, test cases, etc. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Mozilla XSS Nginx File Upload Kiwi Tcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2023-34450 Go MEDIUM POC PATCH This Month

CometBFT is a Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine and replicates it on many machines. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Nginx Cometbft
NVD GitHub
CVSS 3.1
5.3
EPSS
0.9%
CVE-2023-33977 PyPI MEDIUM POC PATCH This Month

Kiwi TCMS is an open source test management system for both manual and automated testing. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Nginx Kiwi Tcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.9%
CVE-2023-28724 HIGH This Week

NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Nginx Nginx Api Connectivity Manager Nginx Instance Manager Nginx Security Monitoring
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2023-28656 HIGH This Week

NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx Authentication Bypass Cloud Backup Ontap Select Deploy Nginx Api Connectivity Manager +2
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2023-29004 MEDIUM POC This Month

hap-wi/roxy-wi is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Nginx Roxy Wi
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2023-27730 HIGH POC This Week

Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_lvlhsh_find at src/njs_lvlhsh.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Nginx Njs
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-27729 HIGH PATCH This Week

Nginx NJS v0.7.10 was discovered to contain an illegal memcpy via the function njs_vmcode_return at src/njs_vmcode.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Nginx Njs
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-27728 HIGH POC This Week

Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_dump_is_recursive at src/njs_vmcode.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Nginx Njs
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-27727 HIGH POC This Week

Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_function_frame at src/njs_function.h. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Nginx Njs
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-1550 MEDIUM This Month

Insertion of Sensitive Information into log file vulnerability in NGINX Agent. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Agent Nginx Instance Manager
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-25804 MEDIUM POC This Month

Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Nginx Roxy Wi
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
CVE-2023-25803 HIGH POC This Week

Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Nginx Roxy Wi
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-25802 HIGH POC PATCH This Week

Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Path Traversal Nginx Roxy Wi
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2023-20088 HIGH This Week

A vulnerability in the nginx configurations that are provided as part of the VPN-less reverse proxy for Cisco Finesse could allow an unauthenticated, remote attacker to create a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Cisco Denial Of Service Authentication Bypass Finesse
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-24814 PHP MEDIUM POC PATCH This Month

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache XSS Nginx Typo3
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2023-23596 HIGH POC THREAT This Week

jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Nginx Nginx Proxy Manager
NVD GitHub
CVSS 3.1
8.8
EPSS
15.2%
CVE-2022-23470 HIGH PATCH This Week

Galaxy is an open-source platform for data analysis. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Apache Nginx Galaxy
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-43286 CRITICAL POC PATCH Act Now

Nginx NJS v0.7.2 was discovered to contain a heap-use-after-free bug caused by illegal memory copy in the function njs_json_parse_iterator_call at njs_json.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Information Disclosure Nginx Use After Free Njs
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-43285 HIGH POC This Week

Nginx NJS v0.7.4 was discovered to contain a segmentation violation in njs_promise_reaction_job. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Nginx Buffer Overflow Njs
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-43284 HIGH POC This Week

Nginx NJS v0.7.2 to v0.7.4 was discovered to contain a segmentation violation via njs_scope_valid_value at njs_scope.h. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-41743 HIGH This Week

NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_hls_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or. Rated high severity (CVSS 7.0). No vendor patch available.

Memory Corruption Nginx Buffer Overflow Nginx Ingress Controller Nginx Plus
NVD
CVSS 3.1
7.0
EPSS
0.2%
CVE-2022-41742 HIGH This Week

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Nginx Buffer Overflow Nginx Ingress Controller Fedora +1
NVD
CVSS 3.1
7.1
EPSS
1.1%
CVE-2022-41741 HIGH This Week

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Nginx Buffer Overflow Nginx Ingress Controller Fedora +1
NVD
CVSS 3.1
7.8
EPSS
0.8%
CVE-2022-41347 HIGH POC PATCH This Week

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Nginx Information Disclosure Collaboration
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2022-38890 MEDIUM POC This Month

Nginx NJS v0.7.7 was discovered to contain a segmentation violation via njs_utf8_next at src/njs_utf8.h. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Buffer Overflow Njs
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2022-29062 MEDIUM This Month

Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiSOAR before 7.2.1 allows an authenticated attacker to write to the underlying filesystem with nginx permissions via crafted. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Fortinet Nginx Path Traversal Fortisoar
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-35173 HIGH POC PATCH This Week

An issue was discovered in Nginx NJS v0.7.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-35241 MEDIUM This Month

In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx Denial Of Service Nginx Instance Manager
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-30535 MEDIUM This Month

In versions 2.x before 2.3.0 and all versions of 1.x, An attacker authorized to create or update ingress objects can obtain the secrets available to the NGINX Ingress Controller. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Ingress Controller
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-35925 CRITICAL POC PATCH Act Now

BookWyrm is a social network for tracking reading. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Authentication Bypass Bookwyrm
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2022-31182 MEDIUM PATCH This Month

Discourse is the an open source discussion platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Nginx Information Disclosure Discourse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.7%
CVE-2022-34032 HIGH POC This Week

Nginx NJS v0.7.5 was discovered to contain a segmentation violation in the function njs_value_own_enumerate at src/njs_value.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-34031 HIGH POC This Week

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_value_to_number at src/njs_value_conversion.h. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-34030 HIGH POC This Week

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_djb_hash at src/njs_djb_hash.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-34029 CRITICAL POC Act Now

Nginx NJS v0.7.4 was discovered to contain an out-of-bounds read via njs_scope_value at njs_scope.h. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Buffer Overflow Information Disclosure Njs
NVD GitHub
CVSS 3.1
9.1
EPSS
1.0%
CVE-2022-34028 HIGH POC This Week

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_utf8_next at src/njs_utf8.h. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-34027 HIGH POC This Week

Nginx NJS v0.7.4 was discovered to contain a segmentation violation via njs_value_property at njs_value.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
EPSS 23% 4.0 CVSS 8.8
HIGH POC PATCH THREAT Act Now

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 23.0%.

Nginx RCE Kubernetes +2
NVD GitHub Exploit-DB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature,. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Nginx Kubernetes Path Traversal +3
NVD GitHub
EPSS 90% 6.2 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access to achieve arbitrary code execution in the controller context. Dubbed 'IngressNightmare', this flaw exposes cluster Secrets including TLS certificates and service account tokens accessible to the ingress controller.

Nginx RCE Kubernetes +2
NVD GitHub Exploit-DB
EPSS 50% 4.8 CVSS 8.8
HIGH POC PATCH THREAT Act Now

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress annotations. Attackers can inject arbitrary NGINX configuration directives that lead to code execution in the ingress controller context, exposing cluster Secrets. This is a companion vulnerability to CVE-2025-1974 (IngressNightmare).

Nginx RCE Kubernetes +2
NVD GitHub Exploit-DB
EPSS 21% CVSS 8.8
HIGH POC PATCH THREAT Act Now

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 20.8%.

Nginx RCE Kubernetes +2
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM This Month

In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Java Denial Of Service +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: netfilter: use get_random_u32 instead of prandom bh might occur while updating per-cpu rnd_state from user context, ie. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Nginx Linux Information Disclosure +3
NVD
EPSS 11% CVSS 7.2
HIGH POC PATCH THREAT Act Now

The Migration, Backup, Staging - WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.7%.

Nginx File Upload Apache +3
NVD GitHub
EPSS 4% CVSS 5.3
MEDIUM PATCH This Month

When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx Authentication Bypass Nginx Plus +3
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

A Host header injection vulnerability exists in CTFd 3.7.5, due to the application failing to properly validate or sanitize the Host header. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Nginx
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing Authorization vulnerability in Thorn Technologies LLC Cache Sniper for Nginx allows Exploiting Incorrectly Configured Access Control Security Levels.0.4.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Nginx
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing Authorization vulnerability in Jakob Bouchard Hestia Nginx Cache allows Exploiting Incorrectly Configured Access Control Security Levels.4.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Nginx
NVD
EPSS 25% CVSS 5.9
MEDIUM POC THREAT This Month

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Nginx Discourse
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

The Opt-In Downloads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the admin_upload() function in all versions up to, and including, 4.07. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress Nginx +1
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Nginx +4
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Open Redirect Nginx
NVD GitHub
EPSS 23% CVSS 8.9
HIGH POC THREAT This Week

Nginx UI is a web user interface for the Nginx web server. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Nginx Nginx Ui
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM This Month

Nginx UI is a web user interface for the Nginx web server. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Path Traversal Nginx +1
NVD GitHub
EPSS 1% CVSS 7.7
HIGH POC This Week

Nginx UI is a web user interface for the Nginx web server. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Nginx Nginx Ui
NVD GitHub
EPSS 1% CVSS 6.3
MEDIUM POC PATCH This Month

A Command injection vulnerability in requestLetsEncryptSslWithDnsChallenge in NginxProxyManager 2.11.3 allows an attacker to achieve remote code execution via Add Let's Encrypt Certificate. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Command Injection RCE +2
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Puma is a Ruby/Rack web server built for parallelism. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Nginx Puma
NVD GitHub
EPSS 3% CVSS 8.8
HIGH POC This Week

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Apache Command Injection +2
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

NGINX Agent's "config_dirs" restriction feature allows a highly privileged attacker to gain the ability to write/overwrite files outside of the designated secure directory. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Nginx Nginx Agent +1
NVD
EPSS 27% CVSS 8.8
HIGH This Week

A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation validation to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Nginx Kubernetes
NVD GitHub
EPSS 1% CVSS 8.7
HIGH This Week

When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory resource utilization. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Plus
NVD
EPSS 1% CVSS 8.3
HIGH This Week

The cBioPortal for Cancer Genomics provides visualization, analysis, and download of large-scale cancer genomics data sets. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Nginx
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

jc21 NGINX Proxy Manager before 2.11.3 allows backend/internal/certificate.js OS command injection by an authenticated user (with certificate management privileges) via untrusted input to the DNS. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Command Injection Nginx Nginx Proxy Manager
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

A Server-Side Request Forgery (SSRF) vulnerability exists in the upload link feature of mintplex-labs/anything-llm. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Nginx Anythingllm
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The SSL Zen WordPress plugin before 4.6.0 does not properly prevent directory listing of the private keys folder, as it only relies on the use of .htaccess to prevent visitors from accessing the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Nginx +1
NVD WPScan
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Nginx Python +2
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an SVGZ file uploaded via the Form widget in all versions up to, and including, 3.20.1 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx XSS WordPress +3
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Nginx Apollo Router
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Discourse is an open source platform for community discussion. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Nginx Denial Of Service Discourse
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

vantage6-UI is the official user interface for the vantage6 server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Resource to Wrong Sphere vulnerability could allow attackers to access resources from an unintended security context.

Docker Information Disclosure Nginx +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix illegal rmb_desc access in SMC-D connection dump A crash was found when dumping SMC-D connections. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference Nginx Denial Of Service +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Nginx +3
NVD
EPSS 1% CVSS 7.5
HIGH This Week

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Nginx Denial Of Service +2
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

vantage6-UI is the User Interface for vantage6. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Docker Information Disclosure Nginx +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Nginx-UI is a web interface to manage Nginx configurations. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Ui
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Nginx-UI is a web interface to manage Nginx configurations. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Nginx +1
NVD GitHub
EPSS 52% 5.0 CVSS 9.8
CRITICAL POC THREAT Emergency

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 52.3%.

Authentication Bypass Nginx Gl Ax1800 Firmware +11
NVD GitHub
EPSS 16% CVSS 7.1
HIGH POC PATCH THREAT This Month

Nginx-UI is a web interface to manage Nginx configurations. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 16.0%.

Privilege Escalation Command Injection Information Disclosure +3
NVD GitHub
EPSS 1% CVSS 7.0
HIGH POC PATCH This Month

Nginx-UI is an online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Nginx SQLi +1
NVD GitHub
EPSS 3% CVSS 7.7
HIGH POC PATCH This Month

Nginx-ui is online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Privilege Escalation Command Injection Information Disclosure +3
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Nginx Traefik
NVD GitHub
EPSS 57% CVSS 8.8
HIGH PATCH This Week

Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Kubernetes Code Injection Nginx +1
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Ingress nginx annotation injection causes arbitrary command execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Nginx Ingress Nginx
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Discourse is an open source platform for community discussion. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Nginx Discourse
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

NAXSI is an open-source maintenance web application firewall (WAF) for NGINX. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Nginx Naxsi
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Apache Denial Of Service Nginx +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Broadcom RAID Controller Web server (nginx) is serving private server-side files without any authentication on Linux. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Broadcom Authentication Bypass +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Broadcom RAID Controller Web server (nginx) is serving private files without any authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Broadcom Authentication Bypass +1
NVD
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, test cases, etc. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Mozilla XSS Nginx +2
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

CometBFT is a Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine and replicates it on many machines. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Nginx Cometbft
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Kiwi TCMS is an open source test management system for both manual and automated testing. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Nginx Kiwi Tcms
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Nginx Nginx Api Connectivity Manager +2
NVD
EPSS 1% CVSS 8.1
HIGH This Week

NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx Authentication Bypass Cloud Backup +4
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

hap-wi/roxy-wi is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Nginx +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_lvlhsh_find at src/njs_lvlhsh.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Nginx +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Nginx NJS v0.7.10 was discovered to contain an illegal memcpy via the function njs_vmcode_return at src/njs_vmcode.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Nginx Njs
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_dump_is_recursive at src/njs_vmcode.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Nginx +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_function_frame at src/njs_function.h. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Nginx +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Insertion of Sensitive Information into log file vulnerability in NGINX Agent. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Agent +1
NVD
EPSS 1% CVSS 5.3
MEDIUM POC This Month

Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Nginx +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Nginx +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Path Traversal Nginx +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

A vulnerability in the nginx configurations that are provided as part of the VPN-less reverse proxy for Cisco Finesse could allow an unauthenticated, remote attacker to create a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Cisco Denial Of Service +2
NVD
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache XSS Nginx +1
NVD GitHub
EPSS 15% CVSS 8.8
HIGH POC THREAT This Week

jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Nginx Nginx Proxy Manager
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Galaxy is an open-source platform for data analysis. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Apache Nginx +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Nginx NJS v0.7.2 was discovered to contain a heap-use-after-free bug caused by illegal memory copy in the function njs_json_parse_iterator_call at njs_json.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Information Disclosure Nginx +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Nginx NJS v0.7.4 was discovered to contain a segmentation violation in njs_promise_reaction_job. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Nginx Buffer Overflow +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Nginx NJS v0.7.2 to v0.7.4 was discovered to contain a segmentation violation via njs_scope_valid_value at njs_scope.h. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Njs
NVD GitHub
EPSS 0% CVSS 7.0
HIGH This Week

NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_hls_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or. Rated high severity (CVSS 7.0). No vendor patch available.

Memory Corruption Nginx Buffer Overflow +2
NVD
EPSS 1% CVSS 7.1
HIGH This Week

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Nginx Buffer Overflow +3
NVD
EPSS 1% CVSS 7.8
HIGH This Week

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Nginx Buffer Overflow +3
NVD
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Nginx Information Disclosure Collaboration
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Nginx NJS v0.7.7 was discovered to contain a segmentation violation via njs_utf8_next at src/njs_utf8.h. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Buffer Overflow +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiSOAR before 7.2.1 allows an authenticated attacker to write to the underlying filesystem with nginx permissions via crafted. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Fortinet Nginx Path Traversal +1
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

An issue was discovered in Nginx NJS v0.7.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Information Disclosure Njs
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx Denial Of Service Nginx Instance Manager
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

In versions 2.x before 2.3.0 and all versions of 1.x, An attacker authorized to create or update ingress objects can obtain the secrets available to the NGINX Ingress Controller. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Ingress Controller
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

BookWyrm is a social network for tracking reading. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Authentication Bypass Bookwyrm
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Discourse is the an open source discussion platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Nginx Information Disclosure Discourse
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Nginx NJS v0.7.5 was discovered to contain a segmentation violation in the function njs_value_own_enumerate at src/njs_value.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Njs
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_value_to_number at src/njs_value_conversion.h. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Njs
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_djb_hash at src/njs_djb_hash.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Njs
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

Nginx NJS v0.7.4 was discovered to contain an out-of-bounds read via njs_scope_value at njs_scope.h. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_utf8_next at src/njs_utf8.h. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Njs
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Nginx NJS v0.7.4 was discovered to contain a segmentation violation via njs_value_property at njs_value.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Njs
NVD GitHub
Prev Page 3 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy