Skip to main content

Nginx

375 CVEs vendor

Monthly

CVE-2022-31161 CRITICAL POC THREAT Act Now

Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Nginx Roxy Wi
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
26.8%
CVE-2022-31137 CRITICAL POC PATCH THREAT Act Now

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Apache Command Injection Nginx Roxy Wi
NVD GitHub
CVSS 3.1
9.8
EPSS
90.4%
CVE-2022-31126 CRITICAL POC THREAT Act Now

Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Apache Nginx Roxy Wi
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
49.9%
CVE-2022-31125 CRITICAL POC THREAT Act Now

Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apache Nginx Roxy Wi
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
19.7%
CVE-2022-31081 MEDIUM POC PATCH This Month

HTTP::Daemon is a simple http server class written in perl. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Apache Nginx Request Smuggling Debian Linux
NVD GitHub
CVSS 3.1
6.5
EPSS
2.1%
CVE-2022-32414 MEDIUM POC PATCH This Month

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_vmcode_interpreter at src/njs_vmcode.c. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Use After Free Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
5.5
EPSS
0.6%
CVE-2022-31307 MEDIUM POC PATCH This Month

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_string_offset at src/njs_string.c. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Use After Free Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
5.5
EPSS
0.6%
CVE-2022-31306 MEDIUM POC PATCH This Month

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_array_convert_to_slow_array at src/njs_array.c. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Use After Free Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
5.5
EPSS
0.6%
CVE-2022-30503 MEDIUM PATCH This Month

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_set_number at src/njs_value.h. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2022-29780 MEDIUM POC PATCH This Month

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_array_prototype_sort at src/njs_array.c. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
5.5
EPSS
0.4%
CVE-2022-29779 MEDIUM POC PATCH This Month

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_value_own_enumerate at src/njs_value.c. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
5.5
EPSS
0.4%
CVE-2022-29169 HIGH PATCH This Week

BigBlueButton is an open source web conferencing system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Nginx Bigbluebutton
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-29379 CRITICAL POC PATCH Act Now

Nginx NJS v0.7.3 was discovered to contain a stack overflow in the function njs_default_module_loader at /src/njs/src/njs_module.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Nginx Buffer Overflow Njs
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2022-29588 HIGH This Week

Konica Minolta bizhub MFP devices before 2022-04-14 use cleartext password storage for the /var/log/nginx/html/ADMINPASS and /etc/shadow files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Information Disclosure Bizhub 226I Firmware Bizhub 227 Firmware Bizhub 246I Firmware +42
NVD
CVSS 3.1
7.5
EPSS
1.7%
CVE-2022-29369 HIGH PATCH This Week

Nginx NJS v0.7.2 was discovered to contain a segmentation violation via njs_lvlhsh_bucket_find at njs_lvlhsh.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-27495 MEDIUM This Month

On all versions 1.3.x (fixed in 1.4.0) NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Nginx Nginx Service Mesh
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2022-28049 MEDIUM POC PATCH This Month

NGINX NJS 0.7.2 was discovered to contain a NULL pointer dereference via the component njs_vmcode_array at /src/njs_vmcode.c. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Nginx Null Pointer Dereference Njs
NVD GitHub
CVSS 3.1
5.5
EPSS
0.8%
CVE-2022-27008 HIGH POC PATCH This Week

nginx njs 0.7.2 is vulnerable to Buffer Overflow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Buffer Overflow Njs
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2022-27007 CRITICAL POC PATCH Act Now

nginx njs 0.7.2 is affected suffers from Use-after-free in njs_function_frame_alloc() when it try to invoke from a restored frame saved with njs_function_frame_save(). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Use After Free Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2022-28379 MEDIUM POC THREAT This Month

jc21.com Nginx Proxy Manager before 2.9.17 allows XSS during item deletion. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Nginx Nginx Proxy Manager
NVD GitHub
CVSS 3.1
4.8
EPSS
71.2%
CVE-2021-43840 Ruby MEDIUM PATCH This Month

message_bus is a messaging bus for Ruby processes and web clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Nginx Path Traversal Message Bus
NVD GitHub
CVSS 3.1
6.5
EPSS
1.9%
CVE-2021-42717 HIGH POC PATCH This Week

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Information Disclosure Modsecurity Nginx Modsecurity Waf Debian Linux +2
NVD
CVSS 3.1
7.5
EPSS
3.2%
CVE-2021-25742 HIGH POC This Week

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Ingress Nginx Trident
NVD GitHub
CVSS 3.1
7.1
EPSS
1.8%
CVE-2021-41188 PHP MEDIUM PATCH This Month

Shopware is open source e-commerce software. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Nginx XSS Shopware
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-3882 MEDIUM POC PATCH This Month

LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Nginx Apache Information Disclosure Ledgersmb
NVD GitHub
CVSS 3.1
6.8
EPSS
0.9%
CVE-2021-23050 HIGH This Week

On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3 and NGINX App Protect on all versions before 3.5.0, when a cross-site request forgery (CSRF)-enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Nginx Big Ip Advanced Web Application Firewall Big Ip Application Security Manager Nginx App Protect
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2021-24490 MEDIUM POC This Month

The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Nginx WordPress Email Artillery
NVD WPScan
CVSS 3.1
6.8
EPSS
0.6%
CVE-2021-38712 HIGH POC This Week

OneNav 0.9.12 allows Information Disclosure of the onenav.db3 contents. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Onenav
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-23021 MEDIUM This Month

The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2021-23019 HIGH This Week

The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2021-23017 HIGH POC PATCH THREAT This Week

A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Nginx Denial Of Service Openresty Fedora Ontap Select Deploy Administration Utility +9
NVD Exploit-DB
CVSS 3.1
7.7
EPSS
53.5%
CVE-2021-23018 HIGH This Week

Intra-cluster communication does not use TLS. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
CVSS 3.1
7.4
EPSS
0.5%
CVE-2021-32637 Go CRITICAL POC PATCH Act Now

Authelia is a a single sign-on multi-factor portal for web apps. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Authentication Bypass Authelia
NVD GitHub
CVSS 3.1
10.0
EPSS
1.9%
CVE-2021-29509 Ruby HIGH PATCH This Week

Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Nginx Apache Denial Of Service Puma Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2021-21396 MEDIUM PATCH This Month

wire-server is an open-source back end for Wire, a secure collaboration platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Nginx Information Disclosure Wire Server
NVD GitHub
CVSS 3.1
6.5
EPSS
1.1%
CVE-2020-29238 HIGH POC THREAT Act Now

An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.7%.

Buffer Overflow Integer Overflow Nginx Expressvpn
NVD Exploit-DB VulDB
CVSS 3.1
7.5
EPSS
16.7%
CVE-2021-21335 CRITICAL PATCH Act Now

In the SPNEGO HTTP Authentication Module for nginx (spnego-http-auth-nginx-module) before version 1.1.1 basic Authentication can be bypassed using a malformed username. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Nginx Authentication Bypass Spnego Http Authentication Module
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2020-27730 CRITICAL Act Now

In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Path Traversal Nginx Controller Cloud Backup
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2020-24660 npm CRITICAL POC PATCH Act Now

An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Authentication Bypass Nginx Lemonldap Debian Linux
NVD GitHub
CVSS 3.1
9.8
EPSS
2.3%
CVE-2020-5416 MEDIUM This Month

Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Nginx Cf Deployment Routing Release
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2020-24349 MEDIUM POC This Month

njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Use After Free Memory Corruption Nginx Njs
NVD GitHub
CVSS 3.1
5.5
EPSS
0.5%
CVE-2020-24348 MEDIUM POC This Month

njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
5.5
EPSS
0.4%
CVE-2020-24347 MEDIUM POC This Month

njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_lvlhsh_level_find in njs_lvlhsh.c. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.1
5.5
EPSS
0.4%
CVE-2020-24346 HIGH POC This Week

njs through 0.4.3, used in NGINX, has a use-after-free in njs_json_parse_iterator_call in njs_json.c. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Use After Free Memory Corruption Nginx Njs
NVD GitHub
CVSS 3.1
7.8
EPSS
1.0%
CVE-2020-8553 Go MEDIUM PATCH This Month

The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Kubernetes Nginx Ingress Nginx
NVD GitHub
CVSS 3.1
5.9
EPSS
0.9%
CVE-2020-5911 HIGH This Week

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubuntu Nginx Debian Kubernetes Information Disclosure +1
NVD
CVSS 3.1
7.3
EPSS
1.0%
CVE-2020-5910 HIGH This Week

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Nginx Nginx Controller
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-5909 MEDIUM This Month

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2020-5901 CRITICAL Act Now

In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Nginx Nginx Controller
NVD
CVSS 3.1
9.6
EPSS
1.5%
CVE-2020-5899 HIGH This Week

In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2020-5900 HIGH This Week

In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery (CSRF) protections for the NGINX Controller user interface. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Nginx Nginx Controller
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2020-11959 HIGH This Week

An unsafe configuration of nginx lead to information leak in Xiaomi router R3600 ROM before 1.0.50. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nginx Xiaomi R3600 Firmware
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2020-5895 HIGH This Week

On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2020-5894 HIGH This Week

On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Nginx Nginx Controller
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2020-12443 CRITICAL POC PATCH Act Now

BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Privilege Escalation Nginx Path Traversal Bigbluebutton
NVD GitHub
CVSS 3.1
9.8
EPSS
3.6%
CVE-2020-5867 HIGH This Week

In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Nginx Nginx Controller Cloud Backup
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2020-5866 MEDIUM This Month

In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2020-5865 MEDIUM This Month

In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Nginx Nginx Controller Cloud Backup
NVD
CVSS 3.1
4.8
EPSS
0.4%
CVE-2020-5864 HIGH This Week

In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
CVSS 3.1
7.4
EPSS
1.0%
CVE-2020-7621 npm CRITICAL Act Now

strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Nginx Strongloop Nginx Controller
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2020-5863 HIGH This Week

In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller Cloud Backup
NVD
CVSS 3.1
8.6
EPSS
1.1%
CVE-2019-18371 HIGH POC THREAT This Week

An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Nginx Millet Router 3G Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
55.9%
CVE-2019-15517 MEDIUM PATCH This Month

jc21 Nginx Proxy Manager before 2.0.13 allows %2e%2e%2f directory traversal. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Nginx Nginx Proxy Manager
NVD GitHub
CVSS 3.0
5.5
EPSS
0.7%
CVE-2019-9516 MEDIUM This Month

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server Ubuntu Linux Debian Linux +15
NVD GitHub
CVSS 3.1
6.5
EPSS
56.3%
CVE-2019-9513 HIGH This Week

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server Ubuntu Linux Debian Linux +16
NVD GitHub
CVSS 3.1
7.5
EPSS
82.0%
CVE-2019-9511 HIGH PATCH This Week

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Swiftnio Traffic Server Ubuntu Linux Debian Linux +16
NVD GitHub
CVSS 3.1
7.5
EPSS
58.4%
CVE-2019-13980 HIGH POC This Week

In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads/_/originals remote code execution with nginx. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Nginx Apache RCE +1
NVD GitHub
CVSS 3.0
8.8
EPSS
2.5%
CVE-2019-13617 MEDIUM POC This Month

njs through 0.3.3, used in NGINX, has a heap-based buffer over-read in nxt_vsprintf in nxt/nxt_sprintf.c during error handling, as demonstrated by an njs_regexp_literal call that leads to an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.0
6.5
EPSS
1.3%
CVE-2019-13067 CRITICAL POC Act Now

njs through 0.3.3, used in NGINX, has a buffer over-read in nxt_utf8_decode in nxt/nxt_utf8.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.0
9.8
EPSS
1.6%
CVE-2019-12938 MEDIUM POC This Month

The Roundcube component of Analogic Poste.io 2.1.6 uses .htaccess to protect the logs/ folder, which is effective with the Apache HTTP Server but is ineffective with nginx. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Apache Poste Io
NVD
CVSS 3.0
4.3
EPSS
1.0%
CVE-2019-12208 CRITICAL POC Act Now

njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in njs_function_native_call in njs/njs_function.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Memory Corruption Njs
NVD GitHub
CVSS 3.0
9.8
EPSS
1.7%
CVE-2019-12207 CRITICAL POC Act Now

njs through 0.3.1, used in NGINX, has a heap-based buffer over-read in nxt_utf8_decode in nxt/nxt_utf8.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.0
9.8
EPSS
1.8%
CVE-2019-12206 CRITICAL POC Act Now

njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in nxt_utf8_encode in nxt_utf8.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Memory Corruption Njs
NVD GitHub
CVSS 3.0
9.8
EPSS
2.0%
CVE-2019-11839 CRITICAL POC Act Now

njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in Array.prototype.push after a resize, related to njs_array_prototype_push in njs/njs_array.c, because of njs_array_expand size. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Memory Corruption Njs
NVD GitHub
CVSS 3.0
9.8
EPSS
1.6%
CVE-2019-11838 CRITICAL POC Act Now

njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in Array.prototype.splice after a resize, related to njs_array_prototype_splice in njs/njs_array.c, because of njs_array_expand size. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Memory Corruption Njs
NVD GitHub
CVSS 3.0
9.8
EPSS
1.6%
CVE-2019-11837 HIGH POC This Week

njs through 0.3.1, used in NGINX, has a segmentation fault in String.prototype.toBytes for negative arguments, related to nxt_utf8_next in nxt/nxt_utf8.h and njs_string_offset in njs/njs_string.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.0
7.5
EPSS
1.4%
CVE-2019-9945 CRITICAL Act Now

SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Information Disclosure Cloud
NVD
CVSS 3.0
9.8
EPSS
5.8%
CVE-2019-7401 CRITICAL Act Now

NGINX Unit before 1.7.1 might allow an attacker to cause a heap-based buffer overflow in the router process with a specially crafted request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Nginx Memory Corruption Nginx Unit
NVD
CVSS 3.0
9.8
EPSS
2.9%
CVE-2018-16845 MEDIUM PATCH This Month

nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might. Rated medium severity (CVSS 6.1), this vulnerability is no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Nginx Debian Linux Ubuntu Linux Leap +1
NVD
CVSS 3.1
6.1
EPSS
9.8%
CVE-2018-16844 HIGH This Week

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Nginx Debian Linux Ubuntu Linux Xcode
NVD
CVSS 3.1
7.5
EPSS
12.4%
CVE-2018-16843 HIGH This Week

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Nginx Debian Linux Ubuntu Linux Leap +1
NVD
CVSS 3.1
7.5
EPSS
47.1%
CVE-2018-1000653 CRITICAL POC Act Now

zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Nginx Zzcms
NVD GitHub
CVSS 3.0
9.8
EPSS
1.2%
CVE-2018-11046 MEDIUM This Month

Pivotal Operations Manager, versions 2.1.x prior to 2.1.6 and version 2.0.14, includes NGINX packages that lacks security vulnerability patches. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Nginx Operations Manager
NVD
CVSS 3.0
6.5
EPSS
0.9%
CVE-2018-12029 Ruby HIGH PATCH This Week

A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Privilege Escalation Nginx Passenger Debian Linux
NVD
CVSS 3.0
7.0
EPSS
0.3%
CVE-2018-8059 HIGH This Week

The Djelibeybi configuration examples for use of NGINX in SUSE Portus 2.3, when applied to certain configurations involving Docker Compose, have a Missing SSL Certificate Validation issue because no. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Docker Nginx Portus
NVD
CVSS 3.0
8.8
EPSS
0.5%
CVE-2018-1299 HIGH This Week

In Apache Allura before 1.8.0, unauthenticated attackers may retrieve arbitrary files through the Allura web application. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Nginx Allura
NVD
CVSS 3.0
7.5
EPSS
3.1%
CVE-2017-7529 HIGH Act Now

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 91.9% and no vendor patch available.

Integer Overflow Nginx Information Disclosure Puppet Enterprise Xcode
NVD
CVSS 3.1
7.5
EPSS
91.9%
Threat
4.3
CVE-2017-8301 MEDIUM PATCH This Month

LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required.

Nginx Information Disclosure Libressl
NVD GitHub
CVSS 3.0
5.3
EPSS
0.2%
CVE-2016-10345 Ruby HIGH PATCH This Week

In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local attackers to gain the privileges of the passenger user. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Nginx Privilege Escalation Passenger
NVD GitHub
CVSS 3.0
7.8
EPSS
0.1%
CVE-2016-1247 HIGH POC This Week

The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS, and before. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Nginx Debian Information Disclosure Ubuntu Fedora
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
9.8%
EPSS 27% CVSS 9.8
CRITICAL POC THREAT Act Now

Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Nginx Roxy Wi
NVD GitHub Exploit-DB
EPSS 90% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Apache Command Injection +2
NVD GitHub
EPSS 50% CVSS 9.8
CRITICAL POC THREAT Act Now

Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Apache Nginx +1
NVD GitHub Exploit-DB
EPSS 20% CVSS 9.8
CRITICAL POC THREAT Act Now

Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apache Nginx +1
NVD GitHub Exploit-DB
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

HTTP::Daemon is a simple http server class written in perl. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Apache Nginx +2
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_vmcode_interpreter at src/njs_vmcode.c. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Use After Free Nginx +2
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_string_offset at src/njs_string.c. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Use After Free Nginx +2
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_array_convert_to_slow_array at src/njs_array.c. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Use After Free Nginx +2
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_set_number at src/njs_value.h. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Nginx Information Disclosure Njs
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_array_prototype_sort at src/njs_array.c. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Nginx Information Disclosure Njs
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_value_own_enumerate at src/njs_value.c. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Nginx Information Disclosure Njs
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

BigBlueButton is an open source web conferencing system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Nginx Bigbluebutton
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Nginx NJS v0.7.3 was discovered to contain a stack overflow in the function njs_default_module_loader at /src/njs/src/njs_module.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Nginx Buffer Overflow +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH This Week

Konica Minolta bizhub MFP devices before 2022-04-14 use cleartext password storage for the /var/log/nginx/html/ADMINPASS and /etc/shadow files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Information Disclosure Bizhub 226I Firmware +44
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Nginx NJS v0.7.2 was discovered to contain a segmentation violation via njs_lvlhsh_bucket_find at njs_lvlhsh.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Nginx Information Disclosure Njs
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

On all versions 1.3.x (fixed in 1.4.0) NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Nginx Nginx Service Mesh
NVD
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

NGINX NJS 0.7.2 was discovered to contain a NULL pointer dereference via the component njs_vmcode_array at /src/njs_vmcode.c. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Nginx Null Pointer Dereference +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

nginx njs 0.7.2 is vulnerable to Buffer Overflow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Buffer Overflow Njs
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

nginx njs 0.7.2 is affected suffers from Use-after-free in njs_function_frame_alloc() when it try to invoke from a restored frame saved with njs_function_frame_save(). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Use After Free Nginx +2
NVD GitHub
EPSS 71% CVSS 4.8
MEDIUM POC THREAT This Month

jc21.com Nginx Proxy Manager before 2.9.17 allows XSS during item deletion. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Nginx Nginx Proxy Manager
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

message_bus is a messaging bus for Ruby processes and web clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Nginx Path Traversal Message Bus
NVD GitHub
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Information Disclosure Modsecurity +4
NVD
EPSS 2% CVSS 7.1
HIGH POC This Week

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Ingress Nginx +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Shopware is open source e-commerce software. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Nginx XSS Shopware
NVD GitHub
EPSS 1% CVSS 6.8
MEDIUM POC PATCH This Month

LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Nginx Apache Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3 and NGINX App Protect on all versions before 3.5.0, when a cross-site request forgery (CSRF)-enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Nginx Big Ip Advanced Web Application Firewall +2
NVD
EPSS 1% CVSS 6.8
MEDIUM POC This Month

The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Nginx WordPress +1
NVD WPScan
EPSS 1% CVSS 7.5
HIGH POC This Week

OneNav 0.9.12 allows Information Disclosure of the onenav.db3 contents. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Onenav
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
EPSS 53% CVSS 7.7
HIGH POC PATCH THREAT This Week

A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Nginx Denial Of Service Openresty +11
NVD Exploit-DB
EPSS 1% CVSS 7.4
HIGH This Week

Intra-cluster communication does not use TLS. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
EPSS 2% CVSS 10.0
CRITICAL POC PATCH Act Now

Authelia is a a single sign-on multi-factor portal for web apps. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Authentication Bypass Authelia
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Nginx Apache Denial Of Service +2
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

wire-server is an open-source back end for Wire, a secure collaboration platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Nginx Information Disclosure Wire Server
NVD GitHub
EPSS 17% CVSS 7.5
HIGH POC THREAT Act Now

An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.7%.

Buffer Overflow Integer Overflow Nginx +1
NVD Exploit-DB VulDB
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

In the SPNEGO HTTP Authentication Module for nginx (spnego-http-auth-nginx-module) before version 1.1.1 basic Authentication can be bypassed using a malformed username. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Nginx Authentication Bypass Spnego Http Authentication Module
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Path Traversal Nginx Controller +1
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Authentication Bypass Nginx +2
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Nginx Cf Deployment +1
NVD
EPSS 1% CVSS 5.5
MEDIUM POC This Month

njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Use After Free Memory Corruption +2
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_lvlhsh_level_find in njs_lvlhsh.c. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC This Week

njs through 0.4.3, used in NGINX, has a use-after-free in njs_json_parse_iterator_call in njs_json.c. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Use After Free Memory Corruption +2
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Kubernetes Nginx +1
NVD GitHub
EPSS 1% CVSS 7.3
HIGH This Week

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubuntu Nginx Debian +3
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Nginx Nginx Controller
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
EPSS 1% CVSS 9.6
CRITICAL Act Now

In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Nginx Nginx Controller
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
EPSS 0% CVSS 8.8
HIGH This Week

In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery (CSRF) protections for the NGINX Controller user interface. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Nginx Nginx Controller
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An unsafe configuration of nginx lead to information leak in Xiaomi router R3600 ROM before 1.0.50. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nginx Xiaomi R3600 Firmware
NVD
EPSS 0% CVSS 7.8
HIGH This Week

On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
EPSS 1% CVSS 8.1
HIGH This Week

On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Nginx +1
NVD
EPSS 4% CVSS 9.8
CRITICAL POC PATCH Act Now

BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Privilege Escalation Nginx Path Traversal +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Nginx Nginx Controller +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Nginx +2
NVD
EPSS 1% CVSS 7.4
HIGH This Week

In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Nginx Strongloop Nginx Controller
NVD GitHub
EPSS 1% CVSS 8.6
HIGH This Week

In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller +1
NVD
EPSS 56% CVSS 7.5
HIGH POC THREAT This Week

An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Nginx Millet Router 3G Firmware
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

jc21 Nginx Proxy Manager before 2.0.13 allows %2e%2e%2f directory traversal. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Nginx Nginx Proxy Manager
NVD GitHub
EPSS 56% CVSS 6.5
MEDIUM This Month

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server +17
NVD GitHub
EPSS 82% CVSS 7.5
HIGH This Week

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server +18
NVD GitHub
EPSS 58% CVSS 7.5
HIGH PATCH This Week

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Swiftnio Traffic Server +18
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC This Week

In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads/_/originals remote code execution with nginx. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Nginx +3
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

njs through 0.3.3, used in NGINX, has a heap-based buffer over-read in nxt_vsprintf in nxt/nxt_sprintf.c during error handling, as demonstrated by an njs_regexp_literal call that leads to an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Information Disclosure +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

njs through 0.3.3, used in NGINX, has a buffer over-read in nxt_utf8_decode in nxt/nxt_utf8.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM POC This Month

The Roundcube component of Analogic Poste.io 2.1.6 uses .htaccess to protect the logs/ folder, which is effective with the Apache HTTP Server but is ineffective with nginx. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Apache +1
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in njs_function_native_call in njs/njs_function.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Memory Corruption +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

njs through 0.3.1, used in NGINX, has a heap-based buffer over-read in nxt_utf8_decode in nxt/nxt_utf8.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Information Disclosure +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in nxt_utf8_encode in nxt_utf8.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Memory Corruption +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in Array.prototype.push after a resize, related to njs_array_prototype_push in njs/njs_array.c, because of njs_array_expand size. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Memory Corruption +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in Array.prototype.splice after a resize, related to njs_array_prototype_splice in njs/njs_array.c, because of njs_array_expand size. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Memory Corruption +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

njs through 0.3.1, used in NGINX, has a segmentation fault in String.prototype.toBytes for negative arguments, related to nxt_utf8_next in nxt/nxt_utf8.h and njs_string_offset in njs/njs_string.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Njs
NVD GitHub
EPSS 6% CVSS 9.8
CRITICAL Act Now

SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Information Disclosure Cloud
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

NGINX Unit before 1.7.1 might allow an attacker to cause a heap-based buffer overflow in the router process with a specially crafted request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Nginx +2
NVD
EPSS 10% CVSS 6.1
MEDIUM PATCH This Month

nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might. Rated medium severity (CVSS 6.1), this vulnerability is no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Nginx Debian Linux +3
NVD
EPSS 12% CVSS 7.5
HIGH This Week

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Nginx Debian Linux +2
NVD
EPSS 47% CVSS 7.5
HIGH This Week

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Nginx Debian Linux +3
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Nginx +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

Pivotal Operations Manager, versions 2.1.x prior to 2.1.6 and version 2.0.14, includes NGINX packages that lacks security vulnerability patches. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Nginx Operations Manager
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Privilege Escalation Nginx +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The Djelibeybi configuration examples for use of NGINX in SUSE Portus 2.3, when applied to certain configurations involving Docker Compose, have a Missing SSL Certificate Validation issue because no. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Docker Nginx +1
NVD
EPSS 3% CVSS 7.5
HIGH This Week

In Apache Allura before 1.8.0, unauthenticated attackers may retrieve arbitrary files through the Allura web application. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Nginx +1
NVD
EPSS 92% 4.3 CVSS 7.5
HIGH Act Now

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 91.9% and no vendor patch available.

Integer Overflow Nginx Information Disclosure +2
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required.

Nginx Information Disclosure Libressl
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local attackers to gain the privileges of the passenger user. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Nginx Privilege Escalation Passenger
NVD GitHub
EPSS 10% CVSS 7.8
HIGH POC This Week

The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS, and before. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Nginx Debian Information Disclosure +2
NVD Exploit-DB
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy