28
CVEs
5
Critical
14
High
0
KEV
4
PoC
4
Unpatched C/H
82.1%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
5
HIGH
14
MEDIUM
8
LOW
0
Monthly CVE Trend
Affected Products (30)
Docker
16
PHP
11
Kubernetes
11
Python
7
Nginx Ui
4
Java
4
Nginx Plus
4
Modsecurity
3
Nginx Open Source
3
Ubuntu
2
Tinyweb
2
OpenSSL
2
Nginx Gateway Fabric
1
Nginx Ingress Controller
1
Nginx Instance Manager
1
Nginx Proxy Manager
1
Nginx Unit
1
Node.js
1
Open Security Issue Management
1
PostgreSQL
1
Rack
1
Roxy Wi
1
Termix
1
TLS
1
Virtual Appliance Application
1
Virtual Appliance Host
1
Weblate
1
Business Hub
1
Wpvivid Backup Migration
1
Cpp Httplib
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-42945 | Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker processes and potentially execute code on systems without ASLR. The vulnerability requires specific rewrite directive configurations using PCRE captures with question marks in replacement strings, combined with attacker-crafted HTTP requests and conditions beyond the attacker's control. F5 has released patches addressing this critical flaw. EPSS data unavailable; no KEV listing or public exploit identified at time of analysis, though the specific configuration requirements and dependency on external conditions likely limit widespread exploitation despite the 9.2 CVSS score. | CRITICAL | 9.2 | 0.2% | 66 |
PoC
|
| CVE-2026-42220 | nginx-ui prior to version 2.3.8 exposes sensitive configuration values including node.secret via an authenticated GET /api/settings endpoint, allowing an authenticated user to retrieve the shared authentication secret and subsequently impersonate the init administrative user by sending requests with the stolen node.secret via the X-Node-Secret header or node_secret query parameter. This enables privilege escalation and full administrative access to the Nginx configuration interface without additional authentication. | MEDIUM | 6.5 | 0.0% | 53 |
PoC
|
| CVE-2026-8430 | SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allow | CRITICAL | 9.2 | 0.2% | 46 |
|
| CVE-2026-8711 | Heap buffer overflow in F5 NGINX JavaScript (njs) module versions 0.9.4 through 0.9.8 allows unauthenticated remote attackers to crash NGINX worker processes, with potential remote code execution on hosts where ASLR is disabled. Exploitation requires the deployment to use the js_fetch_proxy directive with at least one client-controlled NGINX variable (such as $http_*, $arg_*, or $cookie_*) and a location that invokes ngx.fetch(). No public exploit identified at time of analysis, but a vendor patch is available and the CVSS 4.0 base score of 9.2 reflects the high impact across confidentiality, integrity, and availability. | CRITICAL | 9.2 | 0.2% | 46 |
|
| CVE-2026-7381 | Plack::Middleware::XSendfile through version 1.0053 allows remote unauthenticated attackers to read arbitrary files from nginx-proxied servers by injecting malicious X-Sendfile-Type and X-Accel-Mapping headers. When the middleware's sendfile type is not explicitly configured, clients can force nginx's X-Accel-Redirect mode and manipulate path mappings to access sensitive files outside intended directories. The middleware has been deprecated as of version 1.0053 and will be removed in future Plack releases. EPSS score of 0.01% suggests low current exploitation activity despite the high CVSS 9.1 rating. No public exploit code identified at time of analysis, though the attack technique mirrors the documented CVE-2025-61780 vulnerability in Rack::Sendfile. | CRITICAL | 9.1 | 0.0% | 46 |
No patch
|
| CVE-2026-42238 | Remote code execution as root in nginx-ui versions before 2.3.8 via unauthenticated backup restore within 10-minute startup window. Attackers exploit the completely unauthenticated /api/restore endpoint during initial installation to upload malicious backup archives that overwrite app.ini configuration with injected OS commands in TestConfigCmd setting. After automatic application restart, command injection triggers with privileges of the nginx-ui process - typically root in Docker deployments. EPSS data not available; no active exploitation reported but publicly disclosed via GitHub Security Advisory GHSA-4pvg-prr3-9cxr. Patch released in version 2.3.8. | CRITICAL | 9.0 | 0.2% | 45 |
|
| CVE-2026-42559 | DNS rebinding in rmcp Rust crate allows malicious websites to control local MCP servers and achieve arbitrary code execution through exposed developer tools. Fixed in version 1.4.0 via Host header validation with loopback-only default allowlist. The vulnerability affects Streamable HTTP server transport only (stdio and child-process transports unaffected). Vendor-released patch available (PR #764, commit 8e22aa2). Similar vulnerabilities patched across TypeScript, Python, Go, and Java MCP SDKs indicate coordinated disclosure. CVSS 8.8 (network vector, low complexity, requires user interaction) reflects browser-mediated attack requiring victim to visit attacker site. | HIGH | 8.8 | 0.0% | 44 |
PoC
|
| CVE-2026-45578 | Remote code execution in AVideo streaming platform allows authenticated users with streaming privileges to execute arbitrary OS commands through shell metacharacter injection in the Live plugin. The vulnerability exists in the on_publish.php webhook endpoint which builds shell commands using unsafe string concatenation instead of proper escaping, allowing attackers to inject commands via specially crafted stream keys containing single quotes. While the CVSS indicates low privileges required (authenticated users with canStream permission), the impact is severe as it grants full web server user access. | HIGH | 8.8 | – | 44 |
No patch
|
| CVE-2026-39806 | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker proc | HIGH | 8.7 | 0.5% | 44 |
|
| CVE-2026-44015 | Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) | HIGH | 8.5 | 0.0% | 43 |
No patch
|
| CVE-2026-42946 | Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle position between NGINX and upstream servers to read worker process memory or crash the service. Affects both NGINX Open Source and NGINX Plus when scgi_pass or uwsgi_pass directives are configured. The vulnerability requires network positioning between NGINX and its backend servers (AV:N with AT:P - Present attack complexity), making exploitation dependent on network architecture. No public exploit identified at time of analysis. CVSS 8.3 (High) reflects potential for confidential data exposure but limited by MITM prerequisite. | HIGH | 8.3 | 0.0% | 42 |
|
| CVE-2026-30923 | Worker process crashes occur in ModSecurity (libmodsecurity3) when processing query string parameters containing single characters through the t:hexDecode transformation function. Remote unauthenticated attackers can trigger repeated segmentation faults to disrupt web application firewall protection, though service automatically recovers once the attack ceases. All libmodsecurity3 versions before 3.0.15 are affected across Apache, IIS, and Nginx deployments. OWASP confirmed the vulnerability via GitHub security advisory GHSA-qrjc-3jpc-3h2g and released patch version 3.0.15 addressing this buffer overflow (CWE-125: Out-of-bounds Read). | HIGH | 8.2 | 0.0% | 41 |
|
| CVE-2026-42268 | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is a | HIGH | 8.2 | 0.0% | 41 |
|
| CVE-2026-42221 | Unauthenticated attackers can hijack the administrator account during nginx-ui's first-run installation window by claiming the /api/install endpoint before legitimate operators. This race-condition vulnerability in nginx-ui versions 2.0.0 through 2.3.7 bypasses authentication controls entirely, allowing complete instance takeover with attacker-controlled credentials. The request-encryption mechanism protects only transit confidentiality, not authorization. Attack complexity is rated HIGH due to the narrow time window between deployment and legitimate setup completion. EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis, but exploitation requires only standard HTTP tools and timing. | HIGH | 8.1 | 0.1% | 41 |
|
| CVE-2026-42222 | Unauthenticated bootstrap takeover in nginx-ui 2.3.5 allows remote attackers to hijack the initial installation process via crafted POST requests to /api/install endpoint. An attacker who successfully exploits the installation window gains full administrative control over the nginx-ui instance before legitimate administrators complete setup. No vendor-released patch identified at time of analysis, creating extended exposure risk for newly deployed instances. | HIGH | 8.1 | 0.0% | 41 |
No patch
|