144
CVEs
30
Critical
74
High
0
KEV
17
PoC
29
Unpatched C/H
75.0%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
30
HIGH
74
MEDIUM
36
LOW
3
Monthly CVE Trend
Affected Products (30)
Njs
38
Debian Linux
22
Docker
22
Nginx Plus
22
Kubernetes
21
Nginx Open Source
21
Nginx Controller
17
PHP
16
Fedora
11
Python
10
Roxy Wi
10
Ubuntu Linux
10
Nginx Ui
9
Leap
8
Nginx Instance Manager
8
Nginx Ingress Controller
8
Nginx Proxy Manager
7
Xcode
7
Modsecurity
6
Cloud Backup
5
Java
5
Ubuntu
4
Linux Kernel
4
Software Collections
4
Ingress Nginx
4
Nginx Gateway Fabric
4
Discourse
4
Enterprise Communications Broker
3
Diskstation Manager
3
Traffic Server
3
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-42945 | Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker processes and potentially execute code on systems without ASLR. The vulnerability requires specific rewrite directive configurations using PCRE captures with question marks in replacement strings, combined with attacker-crafted HTTP requests and conditions beyond the attacker's control. F5 has released patches addressing this critical flaw. EPSS data unavailable; no KEV listing or public exploit identified at time of analysis, though the specific configuration requirements and dependency on external conditions likely limit widespread exploitation despite the 9.2 CVSS score. | CRITICAL | 9.2 | 0.2% | 76 |
PoC
|
| CVE-2026-27944 | Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available. | CRITICAL | 9.8 | 1.0% | 70 |
PoC
|
| CVE-2026-33032 | Remote unauthenticated nginx service takeover in nginx-ui's MCP integration allows network attackers to create, modify, or delete nginx configuration files and trigger automatic reloads without authentication. The /mcp_message endpoint lacks authentication middleware while exposing the same MCP tool handlers as the protected /mcp endpoint, and the IP whitelist defaults to empty (allow-all). Attackers can inject malicious server blocks to intercept credentials, exfiltrate backend topology, or crash nginx with invalid configs. CVSS 9.8 (Critical) with network attack vector, no authentication required, and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though detailed proof-of-concept HTTP request provided in advisory. | CRITICAL | 9.8 | 0.1% | 69 |
PoC
No patch
|
| CVE-2026-42530 | Use-after-free in NGINX Open Source's ngx_http_v3_module allows remote unauthenticated attackers to crash worker processes and potentially execute arbitrary code on hosts where HTTP/3 QUIC is enabled. Exploitation requires a specially crafted HTTP/3 session that reopens a QPACK encoder stream, with code execution contingent on ASLR being disabled or bypassed; no public exploit identified at time of analysis, though SSVC technical impact is rated total. | CRITICAL | 9.2 | 0.8% | 67 |
PoC
|
| CVE-2026-42055 | Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic upstream when ignore_invalid_headers is off and large_client_header_buffers exceeds 2 MB. Remote unauthenticated attackers sending oversized headers can crash the worker process, and where ASLR is disabled or bypassable, achieve arbitrary code execution. No public exploit identified at time of analysis and CISA SSVC marks exploitation as 'none', but technical impact is rated total. | CRITICAL | 9.2 | 0.6% | 67 |
PoC
|
| CVE-2026-9256 | Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated remote attackers sending crafted HTTP requests that target rewrite directives using overlapping PCRE captures (e.g., $1$2 referencing ^/((.*))$) in redirect or arguments contexts. Impact ranges from worker process crash/restart to arbitrary code execution where ASLR is disabled or bypassed; publicly available exploit code exists, though EPSS exploitation probability is low (0.15%, 35th percentile) and the issue is not in CISA KEV. | CRITICAL | 9.2 | 0.1% | 66 |
PoC
|
| CVE-2026-33186 | An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTTP/2 requests with malformed :path pseudo-headers that omit the mandatory leading slash (e.g., 'Service/Method' instead of '/Service/Method'). This affects gRPC-Go servers using path-based authorization interceptors like google.golang.org/grpc/authz with deny rules for canonical paths but fallback allow rules. The vulnerability has a CVSS score of 9.1 (Critical) with network-based exploitation requiring no privileges or user interaction, enabling attackers to access restricted services and potentially exfiltrate or modify sensitive data. | CRITICAL | 9.1 | 0.0% | 66 |
PoC
|
| CVE-2026-58467 | Arbitrary file disclosure and PHP local file inclusion in Cockpit CMS before release 364 lets unauthenticated remote attackers read files outside the web root and, on certain server setups, cause the application to include() attacker-chosen .php files. The flaw stems from unvalidated PATH_INFO (derived from REQUEST_URI) being used to build filesystem paths without containment checks. Publicly available exploit code exists; it is not listed in CISA KEV and no EPSS score was provided. | HIGH | 8.2 | 0.4% | 61 |
PoC
|
| CVE-2026-49975 | Denial of service in Apache HTTP Server 2.4.17 through 2.4.67 (via the bundled mod_http2 module) allows remote unauthenticated attackers to exhaust server memory by sending crafted HTTP/2 requests whose cookie headers are not correctly counted against LimitRequestFields. Publicly available exploit code exists and a third-party write-up describes a 'hidden HTTP/2 bomb,' but EPSS exploitation probability is currently very low (0.02%, 5th percentile) and the CVE is not on the CISA KEV list. | HIGH | 7.5 | 0.0% | 58 |
PoC
|
| CVE-2026-58446 | Authentication bypass in Presenton's bundled MCP server exposes server and Docker deployments to unauthenticated remote exploitation via the unprotected /mcp endpoint. When operators configure session authentication using AUTH_USERNAME/AUTH_PASSWORD, nginx enforces access control on all paths except /mcp, which is absent from the auth_request gate - and the MCP server compounds this by auto-minting valid internal session tokens for the configured user on any incoming request. An unauthenticated remote attacker can therefore invoke MCP tools such as generate_presentation as if fully authenticated, consuming the operator's LLM API keys and writing arbitrary presentations to the instance. A publicly available proof-of-concept exists; no active exploitation confirmed in CISA KEV. | MEDIUM | 6.9 | 0.4% | 55 |
PoC
|
| CVE-2026-42220 | nginx-ui prior to version 2.3.8 exposes sensitive configuration values including node.secret via an authenticated GET /api/settings endpoint, allowing an authenticated user to retrieve the shared authentication secret and subsequently impersonate the init administrative user by sending requests with the stolen node.secret via the X-Node-Secret header or node_secret query parameter. This enables privilege escalation and full administrative access to the Nginx configuration interface without additional authentication. | MEDIUM | 6.5 | 0.0% | 53 |
PoC
|
| CVE-2026-33494 | Ory Oathkeeper, an identity and access proxy, contains an authorization bypass vulnerability via HTTP path traversal that allows attackers to access protected resources without authentication. The vulnerability affects Ory Oathkeeper installations where the software uses un-normalized paths for rule matching, enabling requests like '/public/../admin/secrets' to bypass authentication requirements. With a CVSS score of 10.0 (Critical) and network-based exploitation requiring no privileges or user interaction, this represents a severe authentication bypass, though no current EPSS score or KEV listing indicates limited evidence of active exploitation at this time. | CRITICAL | 10.0 | 0.0% | 50 |
|
| CVE-2026-9508 | Unauthenticated backup file disclosure in Suprema BioStar 2 server (versions 2.9.3 through 2.9.11) allows remote attackers to download sensitive backup ZIP archives directly via predictable '/download/' URLs when the administrator places the backup path inside the NGINX webroot. The exposed archives can contain database credentials and cryptographic material enabling server impersonation, database compromise, and lateral movement. No public exploit identified at time of analysis, but SSVC rates the flaw as automatable with total technical impact and CVSS 4.0 scores it 10.0. | CRITICAL | 10.0 | 0.1% | 50 |
|
| CVE-2026-33502 | An unauthenticated server-side request forgery (SSRF) vulnerability exists in AVideo's Live plugin test.php endpoint that allows remote attackers to force the server to send HTTP requests to arbitrary URLs. The vulnerability affects AVideo installations with the Live plugin enabled and can be exploited to probe internal network services, access cloud metadata endpoints, and retrieve content from internal HTTP resources. A proof-of-concept has been published demonstrating localhost service enumeration, and the vulnerability requires no authentication or user interaction to exploit. | CRITICAL | 9.3 | 3.0% | 50 |
|
| CVE-2026-45552 | Privilege escalation and cross-tenant compromise in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - including the default guest role 4 - to install or reconfigure exporters, WAF, and GeoIP databases on every managed server regardless of tenant ownership. Because the affected installer endpoints lack role and group decorators, low-privilege users can pivot through stored SSH credentials with sudo to achieve root-level command execution on HAProxy/Nginx/Apache hosts belonging to other tenants. No public exploit identified at time of analysis, but the issue is unpatched and rated CVSS 9.9. | CRITICAL | 9.9 | 0.0% | 50 |
No patch
|