Skip to main content

Nginx

Vendor security scorecard – 160 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 818
160
CVEs
33
Critical
78
High
0
KEV
22
PoC
32
Unpatched C/H
73.1%
Patch Rate
0.2%
Avg EPSS

Severity Breakdown

CRITICAL
33
HIGH
78
MEDIUM
45
LOW
3

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-42945 Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker processes and potentially execute code on systems without ASLR. The vulnerability requires specific rewrite directive configurations using PCRE captures with question marks in replacement strings, combined with attacker-crafted HTTP requests and conditions beyond the attacker's control. F5 has released patches addressing this critical flaw. EPSS data unavailable; no KEV listing or public exploit identified at time of analysis, though the specific configuration requirements and dependency on external conditions likely limit widespread exploitation despite the 9.2 CVSS score. CRITICAL 9.2 0.2% 76
PoC
CVE-2026-27944 Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available. CRITICAL 9.8 1.0% 70
PoC
CVE-2026-33032 Remote unauthenticated nginx service takeover in nginx-ui's MCP integration allows network attackers to create, modify, or delete nginx configuration files and trigger automatic reloads without authentication. The /mcp_message endpoint lacks authentication middleware while exposing the same MCP tool handlers as the protected /mcp endpoint, and the IP whitelist defaults to empty (allow-all). Attackers can inject malicious server blocks to intercept credentials, exfiltrate backend topology, or crash nginx with invalid configs. CVSS 9.8 (Critical) with network attack vector, no authentication required, and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though detailed proof-of-concept HTTP request provided in advisory. CRITICAL 9.8 0.1% 69
PoC No patch
CVE-2026-42530 Use-after-free in NGINX Open Source's ngx_http_v3_module allows remote unauthenticated attackers to crash worker processes and potentially execute arbitrary code on hosts where HTTP/3 QUIC is enabled. Exploitation requires a specially crafted HTTP/3 session that reopens a QPACK encoder stream, with code execution contingent on ASLR being disabled or bypassed; no public exploit identified at time of analysis, though SSVC technical impact is rated total. CRITICAL 9.2 0.8% 67
PoC
CVE-2026-42055 Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic upstream when ignore_invalid_headers is off and large_client_header_buffers exceeds 2 MB. Remote unauthenticated attackers sending oversized headers can crash the worker process, and where ASLR is disabled or bypassable, achieve arbitrary code execution. No public exploit identified at time of analysis and CISA SSVC marks exploitation as 'none', but technical impact is rated total. CRITICAL 9.2 0.6% 67
PoC
CVE-2025-34203 Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1002 and Application versions prior to 20.0.2614 (VA and SaaS deployments) contain multiple Docker containers that. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.3 0.1% 67
PoC No patch
CVE-2026-9256 Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated remote attackers sending crafted HTTP requests that target rewrite directives using overlapping PCRE captures (e.g., $1$2 referencing ^/((.*))$) in redirect or arguments contexts. Impact ranges from worker process crash/restart to arbitrary code execution where ASLR is disabled or bypassed; publicly available exploit code exists, though EPSS exploitation probability is low (0.15%, 35th percentile) and the issue is not in CISA KEV. CRITICAL 9.2 0.1% 66
PoC
CVE-2025-59951 Docker default credentials in Termix server management. PoC and patch available. CRITICAL 9.1 0.1% 66
PoC
CVE-2026-33186 An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTTP/2 requests with malformed :path pseudo-headers that omit the mandatory leading slash (e.g., 'Service/Method' instead of '/Service/Method'). This affects gRPC-Go servers using path-based authorization interceptors like google.golang.org/grpc/authz with deny rules for canonical paths but fallback allow rules. The vulnerability has a CVSS score of 9.1 (Critical) with network-based exploitation requiring no privileges or user interaction, enabling attackers to access restricted services and potentially exfiltrate or modify sensitive data. CRITICAL 9.1 0.0% 66
PoC
CVE-2026-58467 Arbitrary file disclosure and PHP local file inclusion in Cockpit CMS before release 364 lets unauthenticated remote attackers read files outside the web root and, on certain server setups, cause the application to include() attacker-chosen .php files. The flaw stems from unvalidated PATH_INFO (derived from REQUEST_URI) being used to build filesystem paths without containment checks. Publicly available exploit code exists; it is not listed in CISA KEV and no EPSS score was provided. HIGH 8.2 0.4% 61
PoC
CVE-2026-22265 Authenticated command injection in Roxy-WI versions prior to 8.2.8.2 enables attackers to execute arbitrary system commands through improper sanitization of the grep parameter in log viewing functionality. Public exploit code exists for this vulnerability, affecting users managing HAProxy, Nginx, Apache, and Keepalived servers through the web interface. A patch is available in version 8.2.8.2 and later. HIGH 7.5 0.2% 58
PoC
CVE-2026-49975 Denial of service in Apache HTTP Server 2.4.17 through 2.4.67 (via the bundled mod_http2 module) allows remote unauthenticated attackers to exhaust server memory by sending crafted HTTP/2 requests whose cookie headers are not correctly counted against LimitRequestFields. Publicly available exploit code exists and a third-party write-up describes a 'hidden HTTP/2 bomb,' but EPSS exploitation probability is currently very low (0.02%, 5th percentile) and the CVE is not on the CISA KEV list. HIGH 7.5 0.0% 58
PoC
CVE-2026-58446 Authentication bypass in Presenton's bundled MCP server exposes server and Docker deployments to unauthenticated remote exploitation via the unprotected /mcp endpoint. When operators configure session authentication using AUTH_USERNAME/AUTH_PASSWORD, nginx enforces access control on all paths except /mcp, which is absent from the auth_request gate - and the MCP server compounds this by auto-minting valid internal session tokens for the configured user on any incoming request. An unauthenticated remote attacker can therefore invoke MCP tools such as generate_presentation as if fully authenticated, consuming the operator's LLM API keys and writing arbitrary presentations to the instance. A publicly available proof-of-concept exists; no active exploitation confirmed in CISA KEV. MEDIUM 6.9 0.4% 55
PoC
CVE-2026-42220 nginx-ui prior to version 2.3.8 exposes sensitive configuration values including node.secret via an authenticated GET /api/settings endpoint, allowing an authenticated user to retrieve the shared authentication secret and subsequently impersonate the init administrative user by sending requests with the stolen node.secret via the X-Node-Secret header or node_secret query parameter. This enables privilege escalation and full administrative access to the Nginx configuration interface without additional authentication. MEDIUM 6.5 0.0% 53
PoC
CVE-2025-62126 Information disclosure in Razvan Stanga's Varnish/Nginx Proxy Caching WordPress plugin through version 1.8.3 allows sensitive data embedded in cached responses to be exposed to unauthorized users. The vulnerability stems from improper handling of sensitive information during proxy caching operations, enabling attackers to retrieve cached data containing credentials, tokens, or other confidential material. No authentication is required to exploit this issue, and EPSS analysis indicates a 4.43% probability of exploitation (89th percentile), suggesting moderate real-world risk despite the lack of known public exploits. MEDIUM 5.3 4.4% 51
PoC No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy