{"vulnerability": "CVE-2026-42945", "sightings": [{"uuid": "d9d4f2f9-779e-4c6d-9315-8bf2024ab40b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hatena-bookmark.bsky.social/post/3mlrq5eb7ca2m", "content": "#\ud83d\udd16\u30c6\u30af\u30ce\u30ed\u30b8\u30fc\nNGINX Rift\n\nCVE-2026-42945 \u00b7 Heap-based Buffer Overflow \u00b7 CVSS v4.0 9.2 (Critical) found autonomously by depthfirst NGINX Rift An 18 year old memory corruption flaw in NGINX Plus and NGINX Open Source lets an unauthenticated attacker crash worker processes or execute remote code with craft", "creation_timestamp": "2026-05-14T02:05:11.569517Z"}, {"uuid": "9af3719f-b415-44d5-8c67-6f1eaf5cf09f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlqurxic4y2o", "content": "CVE-2026-42945 - NGINX ngx_http_rewrite_module vulnerability\nCVE ID : CVE-2026-42945\n \n Published : May 13, 2026, 2:12 p.m. | 2\u00a0hours, 12\u00a0minutes ago\n \n Description : NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module\u00a0module. This vulnerabilit...", "creation_timestamp": "2026-05-13T17:56:00.842089Z"}, {"uuid": "081c8fdf-1542-4711-9fdc-6a92b026aee8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/cR0w/statuses/116568862985647331", "content": "RE: https://infosec.exchange/@cR0w/116568840324508660\nPlenty of prerequisites but worth looking into.\nhttps://my.f5.com/manage/s/article/K000161019\n\nNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. (CVE-2026-42945)", "creation_timestamp": "2026-05-13T19:14:52.543687Z"}, {"uuid": "13f33583-e0d3-423d-9595-72a033558dff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlrrkr5rym2j", "content": "Top 3 CVE for last 7 days:\nCVE-2026-43284: 134 interactions\nCVE-2026-43500: 99 interactions\nCVE-2026-31431: 73 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-46300: 14 interactions\nCVE-2026-42945: 7 interactions\nCVE-2025-8088: 6 interactions\n", "creation_timestamp": "2026-05-14T02:30:34.787585Z"}, {"uuid": "a4f5cb7d-fc78-4ca9-bb45-ee5164835b51", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/harrysintonen/statuses/116569411966488420", "content": "CVE-2026-42945 Heap-based Buffer Overflow in #nginx combined with the linux kernel LPEs is \"not great\" as we say in the industry.\nhttps://depthfirst.com/nginx-rift\n#CVE_2026_42945", "creation_timestamp": "2026-05-13T21:34:29.567906Z"}, {"uuid": "99eff52c-7f48-4cf4-9d53-3bfc619a9166", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/tongzhuodeni.bsky.social/post/3mlrslabuxk2u", "content": "\u5341\u516b\u5e74\u6ca1\u4eba\u78b0\u7684\u90a3\u6bb5\u4ee3\u7801\uff0c\u78b0\u4e0a\u4e86\u5c31\u662f\u5927\u4e8b\u3002\n\nNGINX \u88ab\u66dd\u4e25\u91cd\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0cCVSS 9.2\uff0c\u6e90\u4e8e 2008 \u5e74\u5f15\u5165\u7684\u4ee3\u7801\u903b\u8f91\uff0c\u5f71\u54cd\u5168\u7403\u6570\u4ebf\u670d\u52a1\u5668\u3002\u653b\u51fb\u8005\u65e0\u9700\u8ba4\u8bc1\u5373\u53ef\u5229\u7528\uff0c\u5df2\u53d1\u5e03\u4fee\u590d\u7248\u672c\u3002\n\n\u6d88\u606f\u6765\u6e90\uff1aDepthfirst\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42945", "creation_timestamp": "2026-05-14T02:49:04.993051Z"}, {"uuid": "ffbf3c32-3a4d-4033-955e-ac9a2637aa4c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/thecascading.bsky.social/post/3mlrt43253u22", "content": "\ud83d\udd34 NGINX http_rewrite \u6a21\u5757\u6f0f\u6d1e\uff1b\u6216\u4f1a\u5bfc\u81f4\u5806\u6ea2\u51fa\u751a\u81f3\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\n\n- \u6f0f\u6d1e\u7684\u8d77\u56e0\u662f nginx \u5c1d\u8bd5\u5c06 escape \u8fc7\u7684 URL \u5199\u5165\u672a escape \u957f\u5ea6\u7684\u5185\u5b58\u3002\n- \u5728 ASLR \u672a\u88ab\u5f00\u542f\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u4ee5\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\n- \u4fee\u590d\u5df2\u4e8e 1.30.1/1.31.0 \u53d1\u5e03\u3002\n\n1. https://depthfirst.com/nginx-rift\n2. my.f5.com/~\n\nCVE: CVE-2026-42945\nCVSS: 9.2 (F5 Networks)\nAffect: [0.6.27, 1.30.0] ... [1/2]", "creation_timestamp": "2026-05-14T02:58:08.480955Z"}, {"uuid": "1eb9586f-f049-4f89-87c6-ce42fc4bb164", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html", "content": "Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years.\nThe vulnerability, discovered by depthfirst, is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a", "creation_timestamp": "2026-05-14T04:00:09.000000Z"}, {"uuid": "d4589600-d699-4c51-aa53-38cc58d48cc2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://mstdn.social/users/jschauma/statuses/116570913453757279", "content": "CVE-2026-42945: Possible RCE in NGINX:\nhttps://depthfirst.com/nginx-rift\nRequires a specific regex based rewrite directive like\nrewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last;\nhttps://my.f5.com/manage/s/article/K000161019\n(Of course also found & published by some AI platform. At least they told F5 first.)\nAnd there's a bunch of other vulns in nginx that just dropped, but good luck keeping track if the list of security advisories contains no dates:\nhttps://nginx.org/en/security_advisories.html", "creation_timestamp": "2026-05-14T03:56:21.171214Z"}, {"uuid": "78ff4336-02a6-4835-9aeb-d124c86b34e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/jschauma.mstdn.social.ap.brid.gy/post/3mlrwe7sfxxu2", "content": "CVE-2026-42945: Possible RCE in NGINX:\n\nhttps://depthfirst.com/nginx-rift\n\nRequires a specific regex based rewrite directive like\n\nrewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last;\n\nhttps://my.f5.com/manage/s/article/K000161019\n\n(Of course also found & published by some AI [\u2026]", "creation_timestamp": "2026-05-14T04:01:33.020888Z"}, {"uuid": "31722fc4-8ec9-438f-b2a0-22066997cff1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/yukotan.bsky.social/post/3mls6mn6yls23", "content": "\u3053\u308c\u306d\n\nCritical 18-Year-Old NGINX RCE (CVE-2026-42945) and GitHub PoC Disclosed \nsecurityonline.info/nginx-rce-vu...", "creation_timestamp": "2026-05-14T06:24:21.653039Z"}, {"uuid": "64fc25b9-dfbe-445d-ab19-5283b0ada87b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/r-netsec-bot.bsky.social/post/3mlsmaqwxcj2g", "content": "CVE-2026-42945 : NGINX Heap Buffer Overflow in rewrite module - Writeup and PoC", "creation_timestamp": "2026-05-14T10:28:10.239253Z"}, {"uuid": "8edb837d-eb25-4d59-9de0-96d7c7f0b34c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/kubonai.bsky.social/post/3mlsb6fsmet2a", "content": "CVE-2026-42945: Critical NGINX Heap Buffer Overflow RCE Vulnerability\n\nCVE-2026-42945 is a critical NGINX vulnerability (CVSS 9.2) hiding in ngx_http_rewrite_module for 18 years. A public PoC ex...\n\n\ud83d\udd17 https://ipsec.live/blog/cve-2026-42945-nginx-heap-buffer-overflow\n\n#infosec #cybersecurity", "creation_timestamp": "2026-05-14T07:09:59.377157Z"}, {"uuid": "3602732b-d7e5-4bfe-a731-e51bff4fd9e5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/1SOBBgvcIqPC2HdBO73HfJmtzy7hfeZMdIE0nBIzwgN91l0", "content": "", "creation_timestamp": "2026-05-14T07:00:14.000000Z"}, {"uuid": "3a6a64dd-f497-41bc-8785-8401c43398ee", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/thehackernews/8997", "content": "\u26a1 An 18-year-old flaw in NGINX can let unauthenticated attackers run code or crash servers using crafted HTTP requests.\n\nTracked as CVE-2026-42945 and named NGINX Rift, the bug affects NGINX Plus and Open Source.\n\nPatch details and mitigation steps: https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html", "creation_timestamp": "2026-05-14T06:10:17.000000Z"}, {"uuid": "7eef58b8-ba58-4b94-8f71-e2dee60a2d0f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/r-netsec.bsky.social/post/3mlsmv4rbyo2w", "content": "CVE-2026-42945 : NGINX Heap Buffer Overflow in rewrite module - Writeup and PoC", "creation_timestamp": "2026-05-14T10:39:32.828853Z"}, {"uuid": "6b9bcaef-2e6d-40ea-bee2-c65bc2cf5e87", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://cyberplace.social/users/GossiTheDog/statuses/116572643931253811", "content": "CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)\nIt relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it.  To reach RCE, also ASLR needs to have been disabled on the box.\nThe PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.", "creation_timestamp": "2026-05-14T11:17:02.377324Z"}, {"uuid": "684ee04e-95c0-4f0b-b1d6-6863656dafa4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/tomcat/statuses/116572672199510588", "content": "\u26a1 An 18-year-old flaw in NGINX can let unauthenticated attackers run code or crash servers using crafted HTTP requests.\nTracked as CVE-2026-42945 and named NGINX Rift, the bug affects NGINX Plus and Open Source.\nPatch details and mitigation steps: https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html", "creation_timestamp": "2026-05-14T11:23:35.922821Z"}, {"uuid": "80304a67-35c2-46c7-a7c4-e9c88a80a8f3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84220", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-42945\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a rheodev\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 1  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-14 13:27:53\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nNGINX Rift \u6f0f\u6d1e\u5206\u6790\u4e0e\u590d\u73b0\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-14T14:00:04.000000Z"}, {"uuid": "971780d6-4f19-4c46-a624-c3eb84d18fc5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://mastodon.social/users/hrbrmstr/statuses/116572847528970537", "content": "The EasyEngine tutorial, StackPointer, WPMU DEV, Stack Overflow, and the WordPress.org forums all reference this same pattern.\nThis can easily be chained with one (or both) of two recent and trivial-to-exploit local privilege escalation Linux vulns.\nIn the words of @krypt3ia :\nwe doomed.\nHOWEVER: I threw together a small Bash script that tries to detect whether a given conf file or directory of nginx configs has vulnerable directives. You can find it at:\nhttps://git.sr.ht/~hrbrmstr/cve-2026-42945-scanner\u2026 (2/3)", "creation_timestamp": "2026-05-14T12:08:28.141923Z"}, {"uuid": "aeae35e8-5284-474a-816e-76b8011cac9f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/oxfemale.bsky.social/post/3mlt4vtlmna2s", "content": "As Head of Security, I would classify\u00a0CVE-2026-42945, also known as\u00a0NGINX Rift, as an urgent edge-infrastructure vulnerability.\nhttps://core-jmp.org/2026/05/nginx-rift-the-18-year-old-rewrite-bug-that-turned-a-single-http-request-into-potential-rce/", "creation_timestamp": "2026-05-14T15:26:17.741044Z"}, {"uuid": "856a4646-9e4e-4b83-85b9-3cc2c5813240", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/dErCEnN1e7TY-t0OSb3ozOiPhjFHpmm6ygmc27OPsCgAOz4", "content": "", "creation_timestamp": "2026-05-14T15:00:16.000000Z"}, {"uuid": "1650b958-febf-442a-983e-7a4c7c57f697", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/8KrClztxOpt43Dn04vWbNfDSJz2auxqrQryTcHMCR_fwseY", "content": "", "creation_timestamp": "2026-05-14T15:00:07.000000Z"}, {"uuid": "9b833f6a-5956-4c3a-b8b6-138470a37412", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/shortinfo.bsky.social/post/3mltd3jvi4d2q", "content": "An 18-year-old heap overflow in NGINX's rewrite module, named NGINX Rift (CVE-2026-42945, CVSS 9.2), lets an unauthenticated attacker crash workers or, with ASLR off, gain RCE via a single crafted HTTP request. Affects 0.6.27 to 1.30.0 and Plus R32-R36. Patch: 1.30.1 or 1.31.0.", "creation_timestamp": "2026-05-14T17:16:51.642379Z"}, {"uuid": "3154705b-d4ad-4543-82c1-464af34dc814", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/K_yHCshI6yZBJj8Foftsx5hfP7GLhbMmJ81CYC3g7d-oupU", "content": "", "creation_timestamp": "2026-05-14T11:00:13.000000Z"}, {"uuid": "fb7d0e5e-9d65-4060-b321-e094e18e075f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/true_secator/8204", "content": "\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b\u0438 \u043c\u043d\u043e\u0433\u043e\u0447\u0438\u0441\u043b\u0435\u043d\u043d\u044b\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u0445 NGINX Plus \u0438 NGINX Open, \u0432\u043a\u043b\u044e\u0447\u0430\u044f \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0443\u044e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043e\u0441\u0442\u0430\u0432\u0430\u043b\u0430\u0441\u044c \u043d\u0435\u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043d\u043e\u0439 \u0432 \u0442\u0435\u0447\u0435\u043d\u0438\u0435 18 \u043b\u0435\u0442.\n\n\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u044f\u044f \u0431\u044b\u043b\u0430\u00a0\u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u043f\u0440\u0438 \u0443\u0447\u0430\u0441\u0442\u0438\u0438 depthfirst \u0438 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0441\u043e\u0431\u043e\u0439 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0443 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u0431\u0443\u0444\u0435\u0440\u0430 \u0432 \u043a\u0443\u0447\u0435, \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u044e\u0449\u0443\u044e \u043c\u043e\u0434\u0443\u043b\u044c ngx_http_rewrite_module (CVE-2026-42945, CVSS v4: 9.2), \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c RCE \u0438\u043b\u0438 \u0432\u044b\u0437\u0432\u0430\u0442\u044c DoS \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432. \u041e\u043d\u0430 \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0430 \u0443\u0441\u043b\u043e\u0432\u043d\u043e\u0435 \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435\u00a0NGINX Rift.\n\n\u041a\u0430\u043a \u043e\u0442\u043c\u0435\u0447\u0430\u0435\u0442 F5, \u0432 \u043c\u043e\u0434\u0443\u043b\u044f\u0445 ngx_http_rewrite_module \u0432 NGINX Plus \u0438 NGINX Open Source \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0432\u043e\u0437\u043d\u0438\u043a\u0430\u0435\u0442, \u043a\u043e\u0433\u0434\u0430 \u0437\u0430 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u043e\u0439 rewrite \u0441\u043b\u0435\u0434\u0443\u0435\u0442 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0430 rewrite, if \u0438\u043b\u0438 set, \u0430 \u0442\u0430\u043a\u0436\u0435 \u043d\u0435\u043d\u0430\u0437\u0432\u0430\u043d\u043d\u044b\u0439 \u0437\u0430\u0445\u0432\u0430\u0442 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e Perl-\u0441\u043e\u0432\u043c\u0435\u0441\u0442\u0438\u043c\u043e\u0433\u043e \u0440\u0435\u0433\u0443\u043b\u044f\u0440\u043d\u043e\u0433\u043e \u0432\u044b\u0440\u0430\u0436\u0435\u043d\u0438\u044f (PCRE) (\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, $1, $2) \u0441 \u0437\u0430\u043c\u0435\u043d\u043e\u0439 \u0441\u0442\u0440\u043e\u043a\u0438, \u0432\u043a\u043b\u044e\u0447\u0430\u044e\u0449\u0435\u0439 \u0432\u043e\u043f\u0440\u043e\u0441\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u0437\u043d\u0430\u043a (?).\n\n\u041d\u0435\u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u044d\u0442\u0443 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u044f \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0435 HTTP-\u0437\u0430\u043f\u0440\u043e\u0441\u044b, \u0447\u0442\u043e \u0432\u044b\u0437\u043e\u0432\u0435\u0442 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0431\u0443\u0444\u0435\u0440\u0430 \u043a\u0443\u0447\u0438 \u0432 \u0440\u0430\u0431\u043e\u0447\u0435\u043c \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0435 NGINX \u0438 \u043f\u0440\u0438\u0432\u0435\u0434\u0435\u0442 \u043a \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u043a\u0443.\n\n\u041a\u0440\u043e\u043c\u0435 \u0442\u043e\u0433\u043e, \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u0445 \u0441 \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u043e\u0439 \u0440\u0430\u043d\u0434\u043e\u043c\u0438\u0437\u0430\u0446\u0438\u0435\u0439 \u0440\u0430\u0441\u043f\u043e\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u0430\u0434\u0440\u0435\u0441\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0441\u0442\u0432\u0430 (ASLR) \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u043a\u043e\u0434\u0430.\n\n\u0414\u0430\u043d\u043d\u0430\u044f \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0431\u044b\u043b\u0430 \u0440\u0435\u0448\u0435\u043d\u0430 \u0432 \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0445 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 \u043f\u043e\u0441\u043b\u0435 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u044f 21 \u0430\u043f\u0440\u0435\u043b\u044f: NGINX Plus R32 - R36 (\u0432 R32 P6 \u0438 R36 P4), NGINX Open Source 1.0.0 - 1.30.0 (\u0432 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 1.30.1 \u0438 1.31.0), 0.6.27 - 0.9.7 (\u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043d\u0435 \u043f\u043b\u0430\u043d\u0438\u0440\u0443\u044e\u0442\u0441\u044f), NGINX Instance Manager 2.16.0 - 2.21.1, F5 WAF \u0434\u043b\u044f NGINX 5.9.0 - 5.12.1, NGINX App Protect WAF 4.9.0 - 4.16.0, NGINX App Protect WAF 5.1.0 - 5.8.0, F5 DoS \u0434\u043b\u044f NGINX 4.8.0, NGINX App Protect DoS 4.3.0 - 4.7.0, NGINX Gateway Fabric 1.3.0 - 1.6.2, 2.0.0 - 2.5.1, \u0430 \u0442\u0430\u043a\u0436\u0435 NGINX Ingress Controller 3.5.0 - 3.7.2, 4.0.0 - 4.0.1 \u0438 5.0.0 - 5.4.1.\n\n\u0412 \u0441\u0432\u043e\u0435\u043c \u0441\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u043e\u043c \u0443\u0432\u0435\u0434\u043e\u043c\u043b\u0435\u043d\u0438\u0438 depthfirst \u0441\u043e\u043e\u0431\u0449\u0430\u0435\u0442, \u0447\u0442\u043e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c\u0443 \u043d\u0435\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u043f\u043e\u0432\u0440\u0435\u0434\u0438\u0442\u044c \u043a\u0443\u0447\u0443 \u0440\u0430\u0431\u043e\u0447\u0435\u0433\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 NGINX, \u043e\u0442\u043f\u0440\u0430\u0432\u0438\u0432 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 URI.\n\n\u0421\u0435\u0440\u044c\u0435\u0437\u043d\u043e\u0441\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0437\u0430\u043a\u043b\u044e\u0447\u0430\u0435\u0442\u0441\u044f \u0432 \u0442\u043e\u043c, \u0447\u0442\u043e \u043e\u043d\u0430 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0430 \u0431\u0435\u0437 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438, \u043c\u043e\u0436\u0435\u0442 \u043d\u0430\u0434\u0435\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u0434\u043b\u044f \u0432\u044b\u0437\u044b\u0432\u0430\u043d\u0438\u044f \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043a\u0443\u0447\u0438 \u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c\u0443 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044e \u043a\u043e\u0434\u0430 \u0432 \u0440\u0430\u0431\u043e\u0447\u0435\u043c \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0435 NGINX.\n\n\u0417\u0430\u043f\u0438\u0441\u044c \u0431\u0430\u0439\u0442\u043e\u0432 \u043f\u043e\u0441\u043b\u0435 \u0432\u044b\u0434\u0435\u043b\u0435\u043d\u0438\u044f \u043f\u0430\u043c\u044f\u0442\u0438 \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0434\u0438\u0442 \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 URI \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u0438\u0441\u043a\u0430\u0436\u0435\u043d\u0438\u0435 \u0434\u0430\u043d\u043d\u044b\u0445 \u0444\u043e\u0440\u043c\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u0441\u0430\u043c\u0438\u043c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u043e\u043c, \u0430 \u043d\u0435 \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0434\u0438\u0442 \u0441\u043b\u0443\u0447\u0430\u0439\u043d\u044b\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c. \u041f\u043e\u0432\u0442\u043e\u0440\u043d\u044b\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u0442\u0430\u043a\u0436\u0435 \u043c\u043e\u0433\u0443\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u0434\u043b\u044f \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0430\u043d\u0438\u044f \u0446\u0438\u043a\u043b\u043e\u0432 \u0441\u0431\u043e\u0435\u0432 \u0438 \u0441\u043d\u0438\u0436\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0441\u0442\u0438 \u0434\u043b\u044f \u043a\u0430\u0436\u0434\u043e\u0433\u043e \u0441\u0430\u0439\u0442\u0430, \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u0435\u043c\u043e\u0433\u043e \u0434\u0430\u043d\u043d\u044b\u043c \u044d\u043a\u0437\u0435\u043c\u043f\u043b\u044f\u0440\u043e\u043c.\n\n\u0412 NGINX Plus \u0438 NGINX Open Source \u0442\u0430\u043a\u0436\u0435 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u044b \u0442\u0440\u0438 \u0434\u0440\u0443\u0433\u0438\u0435 \u0441\u0435\u0440\u044c\u0435\u0437\u043d\u044b\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438:\n\n- CVE-2026-42946\u00a0(CVSS v4: 8.3): \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u0447\u0440\u0435\u0437\u043c\u0435\u0440\u043d\u044b\u043c \u0432\u044b\u0434\u0435\u043b\u0435\u043d\u0438\u0435\u043c \u043f\u0430\u043c\u044f\u0442\u0438 \u0432 \u043c\u043e\u0434\u0443\u043b\u044f\u0445 ngx_http_scgi_module \u0438 ngx_http_uwsgi_module, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c\u0443 \u043d\u0435\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u0441 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044f\u043c\u0438 \u0430\u0442\u0430\u043a\u0438 AitM \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043e\u0442\u0432\u0435\u0442\u044b \u043e\u0442 \u0432\u044b\u0448\u0435\u0441\u0442\u043e\u044f\u0449\u0435\u0433\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u0430, \u0447\u0442\u043e\u0431\u044b \u0441\u0447\u0438\u0442\u044b\u0432\u0430\u0442\u044c \u043f\u0430\u043c\u044f\u0442\u044c \u0440\u0430\u0431\u043e\u0447\u0435\u0433\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 NGINX \u0438\u043b\u0438 \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0442\u044c \u0435\u0433\u043e \u043f\u0440\u0438 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0435 scgi_pass \u0438\u043b\u0438 uwsgi_pass.\n\n- CVE-2026-40701\u00a0(CVSS v4: 6.3): \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0442\u0438\u043f\u0430 \u00ab\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043f\u043e\u0441\u043b\u0435 \u043e\u0441\u0432\u043e\u0431\u043e\u0436\u0434\u0435\u043d\u0438\u044f \u043f\u0430\u043c\u044f\u0442\u0438\u00bb \u0432 \u043c\u043e\u0434\u0443\u043b\u0435 ngx_http_ssl_module, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c\u0443 \u043d\u0435\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u043d\u0430\u0434 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u0435\u043c \u0434\u0430\u043d\u043d\u044b\u0445 \u0438\u043b\u0438 \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u043a\u043e\u043c \u0440\u0430\u0431\u043e\u0447\u0435\u0433\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 NGINX, \u0435\u0441\u043b\u0438 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0430 ssl_verify_client \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0430 \u0432 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u00abon\u00bb \u0438\u043b\u0438 \u00aboptional\u00bb, \u0430 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0430 ssl_ocsp \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0430 \u0432 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u00abon\u00bb.\n\n- CVE-2026-42934\u00a0(CVSS v4: 6.3): \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0447\u0442\u0435\u043d\u0438\u044f \u0437\u0430 \u043f\u0440\u0435\u0434\u0435\u043b\u0430\u043c\u0438 \u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u043e\u0433\u043e \u0434\u0438\u0430\u043f\u0430\u0437\u043e\u043d\u0430 \u0432 \u043c\u043e\u0434\u0443\u043b\u0435 ngx_http_charset_module, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c\u0443 \u043d\u0435\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u044c \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u043f\u0430\u043c\u044f\u0442\u0438 \u0438\u043b\u0438 \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u0442\u0438\u0442\u044c \u0440\u0430\u0431\u043e\u0447\u0438\u0439 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 NGINX, \u0435\u0441\u043b\u0438 \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043d\u044b \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u044b charset, source_charset, charset_map \u0438 proxy_pass \u0441 \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u043e\u0439 \u0431\u0443\u0444\u0435\u0440\u0438\u0437\u0430\u0446\u0438\u0435\u0439 (\"off\").\n\n\u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 \u0432\u0435\u0440\u0441\u0438\u0438 \u0434\u043b\u044f \u043e\u043f\u0442\u0438\u043c\u0430\u043b\u044c\u043d\u043e\u0439 \u0437\u0430\u0449\u0438\u0442\u044b. \u0415\u0441\u043b\u0438 \u043d\u0435\u043c\u0435\u0434\u043b\u0435\u043d\u043d\u0430\u044f \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0439 \u0434\u043b\u044f CVE-2026-42945 \u043d\u0435\u0432\u043e\u0437\u043c\u043e\u0436\u043d\u0430, \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0438\u0437\u043c\u0435\u043d\u0438\u0442\u044c \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044e \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0438\u0441\u0438, \u0437\u0430\u043c\u0435\u043d\u0438\u0432 \u043d\u0435\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u043d\u044b\u0435 \u043f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u044b \u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u043d\u044b\u043c\u0438 \u043f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u0430\u043c\u0438 \u0432\u043e \u0432\u0441\u0435\u0445 \u0437\u0430\u0442\u0440\u043e\u043d\u0443\u0442\u044b\u0445 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0430\u0445 \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0438\u0441\u0438.", "creation_timestamp": "2026-05-14T17:00:08.000000Z"}, {"uuid": "2808ef1d-a996-4cf1-8f1b-a962e1a898fa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mltgebuc3o2o", "content": "18-year-old NGINX heap buffer overflow CVE-2026-42945 affects versions 0.6.27 to 1.30.0, enabling DoS and possible RCE under specific rewrite/set configs. F5 has released fixes. #NGINX #F5 #CVE202642945", "creation_timestamp": "2026-05-14T18:17:39.931759Z"}, {"uuid": "c541f29a-c6a4-4964-a71e-005d4018887a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116574610751989738", "content": "Our CTI team identified a lot of activities targeting F5 NGINX Plus and NGINX Open Source (CVE-2026-42945) https://vuldb.com/vuln/363570/cti", "creation_timestamp": "2026-05-14T19:36:51.701495Z"}, {"uuid": "31c4396a-610f-467c-adcd-cc298cff3e87", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/eB7BQNye3ewigGd-NouKdT5JeSAi9BwwL5n749gk_J2qI0I", "content": "", "creation_timestamp": "2026-05-14T23:00:11.000000Z"}, {"uuid": "29c93a1f-287f-48b8-b9d1-69fcff490482", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84251", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a ai-vuln-rediscovery-nginx-cve-2026-42945\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a ChamsBouzaiene\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-14 20:21:19\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u65e0\u63cf\u8ff0\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-14T21:00:04.000000Z"}, {"uuid": "4226e2e5-538a-40eb-bf98-9a5757f603b0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://gist.github.com/lukecav/d7cf64740a780fe4df51e5c182417f95", "content": "https://almalinux.org/blog/2026-05-13-nginx-rift-cve-2026-42945/\nhttps://ubuntu.com/security/notices/USN-8271-1\nhttps://ubuntu.com/security/CVE-2026-42945", "creation_timestamp": "2026-05-14T22:21:27.000000Z"}, {"uuid": "6591ce70-27a2-476b-b99c-78afbded8096", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/pxejltfM6t0bOCIPs7C1JhjfACvEO7Gy-x7DlZhJbRtGeV0", "content": "", "creation_timestamp": "2026-05-14T21:00:04.000000Z"}, {"uuid": "09e2111b-f68f-4849-acfe-67a36210276a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/securityrss.bsky.social/post/3mlty3ddxfw2m", "content": "Cybersecurity researchers have identified multiple vulnerabilities in NGINX Plus and NGINX Open, including a critical 18-year-old flaw (CVE-2026-42945) that allows unauthenticated remote code execution through a heap buffer overflow in the ngx_http_rewrite_module.", "creation_timestamp": "2026-05-14T23:32:32.761060Z"}, {"uuid": "e9ce940e-7a0e-46d3-b489-c880a856f152", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlubzmjy2i2u", "content": "Top 3 CVE for last 7 days:\nCVE-2026-43284: 147 interactions\nCVE-2026-43500: 99 interactions\nCVE-2026-31431: 72 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-46300: 39 interactions\nCVE-2026-42945: 17 interactions\nCVE-2026-31431: 14 interactions\n", "creation_timestamp": "2026-05-15T02:30:32.561532Z"}, {"uuid": "03376059-efd4-46dd-873f-3353e1f2d5f3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/JrhtlH5vIKVqfPsRhNID2luO_6y1hB6kqu8fx0CSUhqMeA", "content": "", "creation_timestamp": "2026-05-14T08:30:21.000000Z"}, {"uuid": "5e372c1e-0a82-4ceb-bc9c-5a184b26fc37", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/sweordbora.hausen.com/post/3mlusg4mxzk2s", "content": "CVE-2026-42945 am Feiertag und Br\u00fcckentag.\n\nImmer wieder Spa\u00df! \ud83d\ude21\n\nSeit gestern Abend schon am dran am arbeiten.", "creation_timestamp": "2026-05-15T07:23:51.529788Z"}, {"uuid": "dbdcbcc1-9578-44cf-a122-80008eeb0c2a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hacker-news-jp.bsky.social/post/3mlutl3ar262c", "content": "\ud83d\udca1 Summary: \n\nNGINX\u306engx_http_rewrite_module\u306b\u8d77\u56e0\u3059\u308b\u6df1\u523b\u306a\u30d2\u30fc\u30d7\u30d0\u30c3\u30d5\u30a1\u30aa\u30fc\u30d0\u30fc\u30d5\u30ed\u30fc\u306e RCE PoC\u304c\u516c\u958b\u3055\u308c\u3001rewrite\u3068set\u30c7\u30a3\u30ec\u30af\u30c6\u30a3\u30d6\u3092\u5229\u7528\u3059\u308b\u672a\u8a8d\u8a3c\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u5b9f\u884c\u304c\u53ef\u80fd\u3068\u306a\u308b\u8106\u5f31\u6027\uff08CVE-2026-42945\uff09\u306e\u4ed6\u3001\u540c\u69d8\u306e\u30e1\u30e2\u30ea\u7834\u58ca\u554f\u984c\u304c\u8a084\u4ef6\u5831\u544a\u3055\u308c\u305f\u3002\u8106\u5f31\u6027\u306f\u30012-pass\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u30a8\u30f3\u30b8\u30f3\u306e\u9577\u3055\u8a08\u7b97\u3068\u30b3\u30d4\u30fc\u51e6\u7406\u306e\u9593\u3067is_args\u306e\u6271\u3044\u304c\u4e0d\u6574\u5408\u306b\u306a\u308b\u3053\u3068\u3067\u3001\u653b\u6483\u8005\u5236\u5fa1\u306eURI\u30c7\u30fc\u30bf\u3092\u7528\u3044\u305f\u30d2\u30fc\u30d7\u9818\u57df\u306e\u7834\u58ca\u3092\u62db\u304d\u3001ngx_pool_cleanup_s\u3092\u4ecb\u3057\u3066system()\u3092\u5b9f\u884c\u3055\u305b\u308b\u6d41\u308c\u3092\u5229\u7528\u3059\u308b\u3002 (1/2)", "creation_timestamp": "2026-05-15T07:44:49.224725Z"}, {"uuid": "f36ce2b6-45c3-4773-8178-0ad8d21dc800", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/bearstech.com/post/3mluw6rgxhf2h", "content": "\ud83d\udea8 Nouvelle faille critique sur NGINX : CVE-2026-42945 (Z)\n\nUne vuln\u00e9rabilit\u00e9 dans ngx_http_rewrite_module peut provoquer un crash des workers NGINX, voire une ex\u00e9cution de code si l\u2019ASLR est d\u00e9sactiv\u00e9.\n\n\ud83d\udc49 security-tracker.deb...", "creation_timestamp": "2026-05-15T08:31:20.051593Z"}, {"uuid": "341253cb-fbe0-4793-aa11-b4856de83f99", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84296", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #RCE #Remote\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a nginx-rift-detect\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a iammerrida-source\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-15 07:37:00\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nBehavioral detection script for CVE-2026-42945 (NGINX Rift) \u2014 heap overflow in ngx_http_rewrite_module. No RCE, crash-based detection only.\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-15T08:00:44.000000Z"}, {"uuid": "48b57e30-bd7f-4bb6-99be-393d7eb41612", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/mm-ilsoftware-bot.bsky.social/post/3mlv36fcfr22z", "content": "NGINX Rift: il bug rimasto nascosto 18 anni che porta all\u2019esecuzione di codice da remoto\nLa vulnerabilit\u00e0 CVE-2026-42945 \u00e8 presente in NGINX dal 2008 ma \u00e8 venuta a galla soltanto o...\nhttps://www.ilsoftware.it/nginx-rift-exploit-vulnerabilita-critica/", "creation_timestamp": "2026-05-15T10:02:48.927061Z"}, {"uuid": "cf8860fa-c2b0-4ae8-a683-31b3c4916ec0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://gist.github.com/yogesh-mishra-pagero/4290cc24fe8ff89360cadb41a125036c", "content": "# CVE-2026-42945 (nginx rewrite RCE) \u2014 `tms-nginx` Impact Analysis\n\n## TL;DR\n\n| Question | Answer |\n|---|---|\n| Does `tms-nginx` contain the vulnerable nginx code? | \u2705 **Yes** \u2014 base image `nginx:1.29.8`, inside the affected range (0.6.27 \u2013 1.30.0). |\n| Does the vulnerability impact `tms-nginx` in practice? | \u274c **No** \u2014 the bug requires a `rewrite` directive to set the `is_args` flag and a downstream capture-using sink. `tms-nginx` has no `rewrite`, no `set $var ...`, and no capture-interpolating `proxy_pass` anywhere in any environment. Not currently exploitable. |\n| Should we patch anyway? | Yes, on the normal renovate cycle \u2014 defense-in-depth, not an emergency. |\n\n## About the CVE\n\n| | |\n|---|---|\n| CVE | CVE-2026-42945 (plus -42946, -40701, -42934) |\n| Type | Heap buffer overflow in `ngx_http_rewrite_module` \u2192 unauthenticated RCE |\n| Affected (Open Source) | 0.6.27 \u2013 1.30.0 |\n| Fixed (Open Source) | 1.30.1, 1.31.0+ |\n| Vendor advisory | https://my.f5.com/manage/s/article/K000160932 |\n\n### Trigger condition\n\nThe bug is a two-pass length/copy mismatch in nginx's script engine:\n\n- **Length pass** computes the buffer size with `is_args = 0` on a freshly-zeroed sub-engine \u2014 returns the raw capture length.\n- **Copy pass** runs with `is_args = 1` (set on the main engine because the rewrite replacement contains `?`) \u2014 calls `ngx_escape_uri` with `NGX_ESCAPE_ARGS`, expanding each escapable byte to 3 bytes.\n\nThe undersized buffer overflows with attacker-controlled URI data.\n\nThe bug fires when **all** of these hold in the same `location`/`server` script chain:\n\n1. A `rewrite` directive whose **replacement contains `?`** (this sets `is_args` on the main engine).\n2. A capture (`$1`, `${name}`, etc.) is referenced **somewhere in the same script chain** \u2014 that reference can be in the rewrite replacement itself, in a subsequent `set $var $N`, or in a capture-interpolating `proxy_pass`.\n3. The capture value contains bytes that need URI-escaping.\n\nImportant caveats:\n\n- `?` inside a regex named-capture group `(?...)` is **pattern syntax**, not a `?` in the replacement. Those do not trigger the bug.\n- A regex `location ~ ^/(.*)$ { ... }` block with `(.*)` capture is harmless on its own \u2014 the bug needs both the `?`-replacement AND a capture sink in the same chain.\n- `return 301 ...$request_uri;` does not trigger \u2014 `return` is in `ngx_http_rewrite_module` but does not exercise the buggy two-pass length/copy machinery.\n\n## Part 1 \u2014 Does `tms-nginx` contain the vulnerable code?\n\n`tms-nginx` is the on-prem TMS reverse proxy, deployed as a Docker container on the `tms*` hosts (thn-prod, thn-staging, thn-test, sth-dr) by the `managed_systemd_unit` Ansible role. It terminates TLS for `tms.pageroonline.com`, `lms.primelog.com`, and `tms-int.pageroonline.com`, and is therefore public-facing on ports 80/443.\n\n### Image build\n\n`tms-nginx/Dockerfile`:\n\n```dockerfile\nFROM nginx:1.29.8@sha256:7f0adca1fc6c29c8dc49a2e90037a10ba20dc266baaed0988e9fb4d0d8b85ba0\n```\n\n`1.29.8 < 1.30.0` \u2192 **inside the affected range.** The vulnerable `ngx_http_rewrite_module` code is in every running `tms-nginx` container today.\n\nNote: `NGINX_VERSION=...` in `tms-version//nginx.version` (e.g. `2.0-b126`, `1.50.1-GO`) is the **Pagero image tag**, not the upstream nginx version. The upstream nginx version is whatever `FROM nginx:...` was at the time the image was built \u2014 historically `1.29.x` or older mainline, all in the affected range.\n\n### Deployment\n\n`tms-deploy/roles/managed_systemd_unit/templates/etc/systemd/system/nginx.service` runs the image with port 80/443 published on `0.0.0.0` and the per-env config files mounted from the host:\n\n```ini\nExecStart=/usr/bin/docker run \\\n    --name ${CONTAINER_NAME} \\\n    -p 0.0.0.0:80:80 \\\n    -p 0.0.0.0:443:443 \\\n    -v /etc/nginx/services.yaml:/etc/nginx/services.yaml \\\n    -v /etc/nginx/service_locations.conf:/etc/nginx/service_locations.conf \\\n    -v /etc/nginx/ip_restrictions.conf:/etc/nginx/ip_restrictions.conf \\\n    ...\n    ${REPOSITORY_NAME}/${CONTAINER_NAME}:${NGINX_VERSION}\n```\n\nThe runtime `nginx.conf` is rendered by `confd` from `tms-nginx/package/etc/confd/templates/nginx.conf.tmpl` against the per-host `services.yaml`. The directives that actually end up in nginx come from three sources only:\n\n1. `tms-nginx/package/etc/confd/templates/nginx.conf.tmpl` (baked into the image).\n2. `tms-deploy/config///etc/nginx/service_locations.conf` (mounted from host).\n3. `tms-deploy/config///etc/nginx/ip_restrictions.conf` (mounted from host).\n\n## Part 2 \u2014 Does the vulnerability impact `tms-nginx`?\n\nTo impact us, the trigger condition must exist in the rendered nginx config. Each of the three sources above was audited against the broad trigger model from Part 1.\n\n### `nginx.conf.tmpl` (baked into the image)\n\nContents (relevant):\n\n- `http { ... }` global settings (logging, SSL, proxy timeouts).\n- Dynamic `upstream api- { ... }` blocks generated from `services.yaml`.\n- Per-server `server { listen 80; ... return 301 https://$server_name$request_uri; }` HTTP\u2192HTTPS redirects.\n- Per-server `server { listen 443 ssl; ... include service_locations.conf; }` TLS server blocks.\n\nNo `rewrite`, no `set $var ...`, no `if ($var ...)` script directives. The only redirect is `return 301`, which is not a CVE trigger.\n\n### `service_locations.conf` (per environment)\n\nAudited across all four environments (thn-prod, thn-staging, thn-test, sth-dr):\n\n- `tms-deploy/config/thn/prod/etc/nginx/service_locations.conf`\n- `tms-deploy/config/thn/staging/etc/nginx/service_locations.conf`\n- `tms-deploy/config/thn/test/etc/nginx/service_locations.conf`\n- `tms-deploy/config/sth/dr/etc/nginx/service_locations.conf`\n\nEvery block follows this shape:\n\n```nginx\nlocation / {\n  include ip_restrictions.conf;\n  proxy_pass http://api-/;\n}\n```\n\nThe only regex `location` block:\n\n```nginx\nlocation / {\n  location ~^/(.*)/ {\n    include ip_restrictions.conf;\n    proxy_pass http://api-primelog;\n  }\n  location / {\n    include ip_restrictions.conf;\n    proxy_pass http://api-primelog/primelog;\n  }\n}\n```\n\nThe regex `~^/(.*)/` does capture `$1`, but `proxy_pass http://api-primelog;` **does not reference the capture** \u2014 the capture is dropped, not interpolated into the upstream URL. No `?`, no `set`, no capture sink.\n\n### `ip_restrictions.conf` (per environment)\n\nOnly `allow`/`deny` directives (currently commented out). Not part of the script engine \u2014 no impact on this CVE.\n\n### Summary table\n\n| Construct under the broad trigger model | Present in `tms-nginx`? |\n|---|---|\n| `rewrite` directive (any) | **None** \u2014 zero across all sources, all environments. |\n| `?` in any rewrite replacement | n/a \u2014 no rewrites |\n| `set $var ...` directive | **None.** |\n| `if ($var ...)` block | **None.** |\n| `proxy_pass http://upstream/$N...` (capture-interpolating) | **None** \u2014 the one regex `location` does not interpolate `$1`. |\n\n### Conclusion of audit\n\n**The vulnerability is present in the binary but unreachable through `tms-nginx`'s configuration.** No script chain in any environment evaluates a captured `$N` while `is_args` could be set, because there is no `rewrite` to set `is_args` and no capture-using sink in any chain. An attacker cannot trigger the buggy code path via any traffic that reaches `tms-nginx` today.\n\n## Part 3 \u2014 What to do\n\n### Short term (now)\n\n- **No emergency action needed.** `tms-nginx` is not currently exploitable.\n- **Code-review rule** while the vulnerable nginx is still in use:\n  - Don't introduce a `rewrite` directive whose replacement contains `?`.\n  - Don't introduce a `set $var $N` (or any capture-using directive) in the same chain as such a rewrite.\n  - Don't introduce a capture-interpolating `proxy_pass`/`return`/`add_header` downstream of such a rewrite.\n\n### Medium term (normal renovate cycle)\n\nBump the base image in `tms-nginx/Dockerfile` once the official `nginx:` Docker library publishes a fixed tag:\n\n```dockerfile\nFROM nginx:1.29.8@sha256:7f0adca1fc6c29c8dc49a2e90037a10ba20dc266baaed0988e9fb4d0d8b85ba0\n```\n\n\u2192 should become `nginx:1.30.1` (stable) or `nginx:1.31.0+` (mainline) with a refreshed digest. Renovate is already wired up via `tms-nginx/renovate.json` extending `github>pagero/renovate-config//team-buzzard/default.json5`, so this should arrive as a normal PR.\n\nAfter the image is rebuilt and a new `tms-nginx` tag is pushed, update the env-specific `nginx.version` files in `tms-version/`, then deploy via the existing `update_util_service.yml` flow:\n\n```bash\nansible-playbook update_util_service.yml -kK \\\n  --extra-vars 'services_version_commit=HEAD site_env=thn/prod service=tms-nginx' \\\n  --diff -l tms1.prod.thn.int.pagero.com\n```\n\nReasons to bump (not urgent, but worth doing):\n\n1. **Defense in depth** \u2014 a future config change adding a `?`-replacement rewrite plus any capture sink would silently re-introduce exploitability on a public-facing service.\n2. **Other CVEs in the same disclosure** (-42946, -40701, -42934) are also memory corruption issues in the same area; the patched nginx versions fix all four.\n3. **Scanner hygiene** \u2014 vulnerability scanners (Qualys/BigFix) will flag this regardless of exploitability.\n\n### Operational caveats for the bump\n\n- `tms-nginx` is on `nginx:1.29.8` today \u2014 the jump to `1.30.1` or `1.31.0` is one minor version. Smaller blast radius than older fleets, but treat with normal caution: deploy to test/staging first, watch error logs for behavioural changes (HTTP/2, regex `location` semantics, header parsing), don't roll fleet-wide on the same day.\n- `tms-nginx` is a SPoF for inbound TMS traffic in each datacenter (paired with keepalived for VIP failover). Bump test \u2192 staging \u2192 DR (sth) \u2192 prod (thn) in that order.\n\n## Re-audit when configs change\n\nRun before merging any change that touches `tms-nginx/`, `tms-deploy/config/*/etc/nginx/`, or any other source that ends up in the rendered `nginx.conf`:\n\n```bash\n# 1. rewrite directive whose replacement contains '?' \u2014 sets is_args on the main engine\ngrep -rn -E '\\brewrite\\s+\\S+\\s+[^;]*\\?' \\\n  ~/github-clone-folder/tms-nginx/ \\\n  ~/github-clone-folder/tms-deploy/config/\n\n# 2. 'set $var ...' directive \u2014 capture sink downstream of a rewrite\ngrep -rn -E '^\\s*set\\s+\\$' \\\n  ~/github-clone-folder/tms-nginx/ \\\n  ~/github-clone-folder/tms-deploy/config/\n\n# 3. proxy_pass / return / add_header that interpolates a numeric or named capture\ngrep -rn -E '(proxy_pass|return|add_header)\\s+[^;]*\\$([0-9]|\\{)' \\\n  ~/github-clone-folder/tms-nginx/ \\\n  ~/github-clone-folder/tms-deploy/config/\n```\n\n**Decision rule:** If (1) returns hits AND either (2) or (3) returns hits in the same `location`/`server` block, the affected config has likely become exploitable on the vulnerable nginx \u2014 patching the base image becomes urgent.\n\nAll three return empty for `tms-nginx` today.\n\n## Audit invariant (suggested addition to `tms-nginx` README)\n\n> **CVE-2026-42945 audit invariant:** while pinned to upstream nginx < 1.30.1, `tms-nginx` and the configs it consumes from `tms-deploy/config/*/etc/nginx/` must not contain any `rewrite` directive whose replacement contains `?`, any `set $var ...` directive, or any capture-interpolating `proxy_pass`/`return`/`add_header`. If any of these are introduced, bump the base image first.\n\n## References\n\n- Vendor advisory: https://my.f5.com/manage/s/article/K000160932\n- Technical write-up: https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability\n- Public PoC: https://github.com/DepthFirstDisclosures/Nginx-Rift\n", "creation_timestamp": "2026-05-15T09:48:34.000000Z"}, {"uuid": "67913b48-543f-43c7-a82e-7a735befe7c2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://www.acn.gov.it/portale/w/f5-disponibile-poc-per-lo-sfruttamento-della-cve-2026-42945", "content": "Aggiornamenti di sicurezza risolvono molteplici vulnerabilit\u00e0, di cui 19 con gravit\u00e0 \u201calta\u201d, nei prodotti di F5. Tra queste si evidenzia la CVE-2026-42945, di tipo \u201cBuffer Overflow\u201d, per la quale risulta disponibile un Proof of Concept (PoC) in rete.", "creation_timestamp": "2026-05-15T11:50:56.000000Z"}, {"uuid": "2cf4529f-40e0-43d7-b0ec-078ae871d7b4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84329", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a wazuh-nginx-cve-2026-42945-sca-lab\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a soksofos\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a None\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-15 12:47:34\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCentralized Wazuh SCA Assessment for CVE-2026-42945 on NGINX Servers\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-15T13:00:04.000000Z"}, {"uuid": "ce81e2f5-1b13-4080-a465-7e875c954930", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/bdufstecru/3169", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u044f ngx_http_rewrite_module \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432 NGINX Plus \u0438 NGINX Open Source \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435\u043c \u0431\u0443\u0444\u0435\u0440\u0430 \u0432 \u0434\u0438\u043d\u0430\u043c\u0438\u0447\u0435\u0441\u043a\u043e\u0439 \u043f\u0430\u043c\u044f\u0442\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434\n\nBDU:2026-06827\nCVE-2026-42945\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://my.f5.com/manage/s/article/K000161019\nhttps://github.com/depthfirstdisclosures/nginx-rift\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u0438\u0437 \u043e\u0431\u0449\u0435\u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0445 \u0441\u0435\u0442\u0435\u0439 (\u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442);\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u044d\u043a\u0440\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0434\u043b\u044f \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0430\u043d\u0442\u0438\u0432\u0438\u0440\u0443\u0441\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0444\u0430\u0439\u043b\u043e\u0432 \u0438 \u0441\u0441\u044b\u043b\u043e\u043a, \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0445 \u0438\u0437 \u043d\u0435\u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432.", "creation_timestamp": "2026-05-15T13:07:24.000000Z"}, {"uuid": "c875e2c1-d35c-407e-a74f-03f7eada2d00", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/xakep_ru/19377", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432 NGINX 18-\u043b\u0435\u0442\u043d\u0435\u0439 \u0434\u0430\u0432\u043d\u043e\u0441\u0442\u0438 \u043f\u0440\u0438\u0432\u043e\u0434\u0438\u0442 \u043a \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c\u0443 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044e \u043a\u043e\u0434\u0430\n\n\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u0438\u0437 \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0438 DepthFirst AI \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b\u0438 \u0432 NGINX \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0443\u044e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-42945, \u043d\u0430\u0431\u0440\u0430\u0432\u0448\u0443\u044e 9,2 \u0431\u0430\u043b\u043b\u0430 \u043f\u043e \u0448\u043a\u0430\u043b\u0435 CVSS. \u041f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 \u0432\u0441\u0435 \u0432\u0435\u0440\u0441\u0438\u0438 NGINX \u043e\u0442 0.6.27 \u0434\u043e 1.30.0 \u0438 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043e\u0432\u0430\u043b\u0430 \u0432 \u043a\u043e\u0434\u0435 \u043e\u043a\u043e\u043b\u043e 18 \u043b\u0435\u0442.\n\nhttps://xakep.ru/2026/05/15/cve-2026-42945/", "creation_timestamp": "2026-05-15T12:37:43.000000Z"}, {"uuid": "72ee813b-87dd-4632-befb-66ba80bba5f2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlwshvs3sk2v", "content": "Top 3 CVE for last 7 days:\nCVE-2026-43284: 90 interactions\nCVE-2026-43500: 71 interactions\nCVE-2026-42511: 56 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-42897: 36 interactions\nCVE-2026-20182: 13 interactions\nCVE-2026-42945: 12 interactions\n", "creation_timestamp": "2026-05-16T02:34:31.328611Z"}, {"uuid": "f64a3a60-7dbc-4095-a05f-31c992facc09", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/infosecbriefly.bsky.social/post/3mlxmhydqak2s", "content": "CVE-2026-42945 enables heap buffer overflow in NGINX rewrite module, causing DoS and potential RCE when ASLR is disabled.\n", "creation_timestamp": "2026-05-16T10:15:32.546801Z"}, {"uuid": "6287dad8-dee8-4395-8447-250888ee5489", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/Sempf.infosec.exchange.ap.brid.gy/post/3mlwurlkavra2", "content": "And of course we're covering it at IFIN and I knew that because I read it all the time. Right? RIGHT??\n\nhttps://discourse.ifin.network/t/cve-2026-42945-heap-buffer-overflow-in-nginx/441", "creation_timestamp": "2026-05-16T03:13:33.013844Z"}, {"uuid": "ebf53fed-8287-41ae-9d73-0c08246ca2a4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/KXaROZyUwqGnjiItcDdn2vc7nDoAS4r1ja5gl7lZz0as5wE", "content": "", "creation_timestamp": "2026-05-14T08:13:32.000000Z"}, {"uuid": "9ed0dc8c-115b-4778-aec5-78a503c0918e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mlxuty2chi2o", "content": "PoC code is now public for CVE-2026-42945, a critical NGINX heap buffer overflow in ngx_http_rewrite_module that can cause DoS and, with ASLR off, possible RCE. #NGINX #F5 #CVE202642945", "creation_timestamp": "2026-05-16T12:45:23.394397Z"}, {"uuid": "8d0d6a59-4680-4908-a231-b87f4f99b5e0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116583787798290759", "content": "\ud83d\udea8 PoC code for CRITICAL NGINX vuln (CVE-2026-42945) now public! Heap buffer overflow in ngx_http_rewrite_module \u2014 can cause DoS or RCE if ASLR is disabled. Patch NGINX Plus/open source ASAP. https://radar.offseq.com/threat/poc-code-published-for-critical-nginx-vulnerabilit-3d78edaa #OffSeq #NGINX #Vuln #InfoSec", "creation_timestamp": "2026-05-16T10:31:13.641717Z"}, {"uuid": "4f95cb33-2de3-4f7e-a80f-4a236ff80b90", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/nomaakip.sk.nomaakip.xyz.ap.brid.gy/post/3mlxnzfz7zhn2", "content": "https://nvd.nist.gov/vuln/detail/CVE-2026-42945", "creation_timestamp": "2026-05-16T10:44:19.418604Z"}, {"uuid": "5966a74a-4ec8-4735-b0ef-2502f5de709d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84504", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a nGixshell\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a MateusVerass\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-16 21:15:39\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nnginx CVE scanner + RCE exploit framework (CVE-2026-42945 + 16 others)\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-16T22:00:04.000000Z"}, {"uuid": "a0a402b5-6119-4831-9f5d-facc3eb4f3ef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/-NMzys9xsFTd5fRdhh3idHLMwfQDFfZaX0NKqYLB8KWkr5Y", "content": "", "creation_timestamp": "2026-05-15T03:00:11.000000Z"}, {"uuid": "4ee15bb4-bfe7-4772-a769-237edd21c52b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/4tIKexrP1B7eYtOW91-QaKQ8EIqNMri3pu2C_JIQ1mA899I", "content": "", "creation_timestamp": "2026-05-15T03:00:06.000000Z"}, {"uuid": "af4e29e4-7615-488d-a6f3-bc7201b71a22", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/iKnfi4QCSQebTTiUH0giCSUzslUJZMv24jBuhJB2_E6yjp8", "content": "", "creation_timestamp": "2026-05-15T07:00:13.000000Z"}, {"uuid": "b9564271-a8db-4221-9d56-899cb1a7bc7a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/cSRM_sxHDtnRQN0U9S0dl5MQhDSVPGcEgOHb6vFr3zWEaR4", "content": "", "creation_timestamp": "2026-05-15T11:00:09.000000Z"}, {"uuid": "dc5c7168-ecd4-4029-bb48-2a5eec3b4414", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/tjgrzpu_dxl6dwKI7zyqcFMKKJNj87hWK2Sc-mpFVOelTAw", "content": "", "creation_timestamp": "2026-05-15T09:00:04.000000Z"}, {"uuid": "b5f9458e-4ccd-42d0-a81d-f67d05e56e30", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/NIJT6QRadmo1sJAEeCWMHE7rPG3mvpUh79CJ74OVXUNIdhg", "content": "", "creation_timestamp": "2026-05-15T15:00:15.000000Z"}, {"uuid": "bc9125b2-538e-4cf5-8967-e76a9bc2b55f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/q3bZ7dzwt6XdRM-jyUWUHYQhep0OmyjD4PHNSw542P5jdgA", "content": "", "creation_timestamp": "2026-05-15T15:00:07.000000Z"}, {"uuid": "c941df60-cdb0-423e-9bbf-6713fa3d569c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/Q6p02XdZnb5swhwy89XHNEiDmKSj81wUwVIbU55eyIFVGP4", "content": "", "creation_timestamp": "2026-05-16T11:00:11.000000Z"}, {"uuid": "ba16c86b-a67e-4780-91b5-9ee8d9641596", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/8zfghiqhdMgUnQpN-sW_sONu8d5R6D_u0VHsC67HR3Je1Bs", "content": "", "creation_timestamp": "2026-05-16T15:00:07.000000Z"}, {"uuid": "33084c2d-6bbc-4ff2-a417-eed50cac9879", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/thehackernews/9017", "content": "\ud83d\udea8 NGINX bug (CVE-2026-42945) now under active exploitation.\n\nCritical heap overflow in rewrite module. Attackers can crash workers with one request (possible RCE).\n\nPatch now if using NGINX \u22641.30.0. Check rewrite/if/set rules.\n\nFull details: https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html", "creation_timestamp": "2026-05-17T12:40:51.000000Z"}, {"uuid": "b5b01f51-fc2a-4ab2-9ff5-a3efe1a1592b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/it4intserver.bsky.social/post/3mm2payqnx525", "content": "iT4iNT SERVER NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE VDS VPS Cloud #NGINX #CVE202642945 #CyberSecurity #InfoSec #Vulnerability", "creation_timestamp": "2026-05-17T15:43:17.774112Z"}, {"uuid": "a6d4ff70-33ef-4dac-bab2-698399d1a12b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/cibsecurity/89399", "content": "\ud83d\udd8b\ufe0f NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE \ud83d\udd8b\ufe0f\n\nA newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck. The vulnerability, tracked as CVE202642945 CVSS score 9.2, is a heap buffer overflow in ngxhttprewritemodule affecting NGINX versions 0.6.27 through 1.30.0. According to AInative security company depthfirst, the.\n\n\ud83d\udcd6 Read more.\n\n\ud83d\udd17 Via \"The Hacker News\"\n\n----------\n\ud83d\udc41\ufe0f Seen on @cibsecurity", "creation_timestamp": "2026-05-17T15:30:11.000000Z"}, {"uuid": "2fbdbcc4-5971-4a81-a347-b6b50b4d4e06", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/ctinow/250405", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE\nhttps://ift.tt/97FPkjs", "creation_timestamp": "2026-05-17T14:59:21.000000Z"}, {"uuid": "9b57ee8b-7682-4b9c-924d-82e643c703b1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html", "content": "A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck.\nThe vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0. According to AI-native security company depthfirst, the", "creation_timestamp": "2026-05-17T09:57:53.000000Z"}, {"uuid": "fcd8dfae-2915-4556-ab41-25515791a4ed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/cybersecurity0001.bsky.social/post/3mm2sj6jqa42b", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE", "creation_timestamp": "2026-05-17T16:41:37.637311Z"}, {"uuid": "86819ce3-cb5f-47b2-8fcb-31b4278b84d8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/TengkorakCyberCrewzz/10439", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE \u2013 thehackernews.com\n\nSun, 17 May 2026 19:57:53", "creation_timestamp": "2026-05-17T16:03:30.000000Z"}, {"uuid": "402c1897-79c4-4106-8180-7800aad2e755", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/blockchainreport.bsky.social/post/3mm2mn6iea52g", "content": "Ledger CTO warns of critical NGINX vulnerability (CVE-2026-42945) affecting many versions. Less than 30% of servers are updated, risking widespread exploitation, including potential RCE. Urgent patching needed!\n\n#crypto #blockchain #news ", "creation_timestamp": "2026-05-17T14:56:23.936499Z"}, {"uuid": "55fa70d0-1693-4b2b-a714-a20fba5b354b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/infosecbriefly.bsky.social/post/3mm2mzgj5s52p", "content": "CVE-2026-42945 in NGINX heap overflow is actively exploited, enabling unauthenticated worker crashes and potential RCE when ASLR is disabled and specific configuration is known.\n", "creation_timestamp": "2026-05-17T15:03:16.210616Z"}, {"uuid": "4ee3beb9-25ed-44d8-abdd-99f4758188b5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/crustytldr.bsky.social/post/3mm2xag3hhb2n", "content": "\ud83d\udcf0 NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE\n\nA newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in th...\n\nhttps://tinyurl.com/4rpcrfve #TechNews #CrustyTLDR", "creation_timestamp": "2026-05-17T18:06:16.240131Z"}, {"uuid": "c1fae926-a621-4acb-b889-be776df0ac0b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/ninjaowl.ai/post/3mm2ntmv4kz25", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE #cybersecurity #hacking #news #infosec #security #technology #privacy thehackernews.com/20...", "creation_timestamp": "2026-05-17T15:17:54.469335Z"}, {"uuid": "dcd72ddb-c0f3-43dd-bd38-3312e3a25b96", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mm2o5okdpq2u", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE", "creation_timestamp": "2026-05-17T15:23:32.086885Z"}, {"uuid": "4973eaa1-ef3e-4cc6-909b-270699f68f22", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mm2ygxcy632j", "content": "CVE-2026-42945 \u2014 NGINX Heap Buffer Overflow RCE", "creation_timestamp": "2026-05-17T18:28:29.432730Z"}, {"uuid": "08222329-3f60-420d-8872-a120d635d0df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/SGSUjF26-ygnogg5NK2LPoh75SNGuWwjlPFXjPvQe3zVzaE", "content": "", "creation_timestamp": "2026-05-17T19:00:14.000000Z"}, {"uuid": "451434e9-35af-408f-bd4f-3653f8feb3d0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/cyberveille-ch.bsky.social/post/3mm3a2lukto24", "content": "\ud83d\udce2 NGINX Rift : RCE critique via un heap overflow vieux de 18 ans (CVE-2026-42945)\n\ud83d\udcdd ## \ud83d\udd0d Contexte\n\nPubli\u00e9 le 13 mai 2026 par Zhenpeng (Leo) Lin, chercheu\u2026\nhttps://cyberveille.ch/posts/2026-05-15-nginx-rift-rce-critique-via-un-heap-overflow-vieux-de-18-ans-cve-2026-42945/ #CVE_2026_40701 #Cyberveille", "creation_timestamp": "2026-05-17T20:43:55.548326Z"}, {"uuid": "a72f3a5e-240e-4de6-9f00-1e776332c965", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84589", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-42945-NGINX-Rift\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a Renison-Gohel\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-17 19:27:14\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u65e0\u63cf\u8ff0\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-17T20:00:04.000000Z"}, {"uuid": "41d7874e-a111-4f4d-8f0f-b2ede75f03ba", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mm3dikj35o2y", "content": "NGINX CVE-2026-42945 is being exploited in the wild, with heap overflow attacks crashing workers and possibly enabling RCE. VulnCheck also saw chained openDCIM exploits linked to a Chinese IP. #NGINX #openDCIM #China", "creation_timestamp": "2026-05-17T21:45:26.298288Z"}, {"uuid": "4ec11f5d-3c84-4c9f-8fd3-800cb3824e75", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/undercodenews.bsky.social/post/3mm3e33zuty2f", "content": "Silent Cyber Apocalypse: NGINX Zero-Day CVE-2026-42945 Actively Exploited as Microsoft 365 Accounts Are Hijacked in Multi-Stage Phishing\u00a0War\n\nMassive Cybersecurity Escalation Across Core Internet Infrastructure A rapidly escalating wave of cyber incidents is shaking core internet infrastructure,\u2026", "creation_timestamp": "2026-05-17T21:55:48.023773Z"}, {"uuid": "6e1ecce0-b353-4914-98f1-384fa5bc433b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/potato.software/post/3mm3e355uty2t", "content": "Silent Potato Apocalypse: NGINX Zero-Day CVE-2026-42945 Actively Exploited as Microsoft 365 Accounts Are Hijacked in Multi-Stage Phishing\u00a0War\n\nMassive Potatosecurity Escalation Across Core Internet Infrastructure A rapidly escalating wave of potato incidents is shaking core internet infrastructure,\u2026", "creation_timestamp": "2026-05-17T21:55:48.830733Z"}, {"uuid": "60177c19-a20d-423a-a132-363dce9693b6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/postac001.bsky.social/post/3mm3dmxrpjv2w", "content": "NGINX Plus/Open\u306engx_http_rewrite_module\u306bheap\u30d0\u30c3\u30d5\u30a1\u30aa\u30fc\u30d0\u30fc\u30d5\u30ed\u30fc\u8106\u5f31\u6027(CVE-2026-42945)\u304c\u3042\u308a\u3001\u30ef\u30a4\u30eb\u30c9\u3067\u653b\u6483\u767a\u751f\u4e2d\u3002worker\u30af\u30e9\u30c3\u30b7\u2026", "creation_timestamp": "2026-05-17T21:47:53.728699Z"}, {"uuid": "ef9708d3-b627-45d1-9de5-4255b195216c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/technoholic.bsky.social/post/3mm3wrjwcpf2o", "content": "Cybersecurity researchers reveal a critical 18-year-old heap buffer overflow in NGINX Plus & Open (CVE-2026-42945, CVSS 9.2) in ngx_http_rewrite_module, risking RCE & more. #cybersecurity", "creation_timestamp": "2026-05-18T03:30:27.699501Z"}, {"uuid": "6569580d-49ce-4996-a287-194168c211c1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/FMuj_IRa9WJxg8stLSMyK9s8hezzOoxBzO2QROQaixpXJv8", "content": "", "creation_timestamp": "2026-05-17T21:00:04.000000Z"}, {"uuid": "603ba0d4-bd3a-4400-9dbe-a7b4111ace73", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/lbtoday1.bsky.social/post/3mm3edobd2e2t", "content": "Nginx CVE-2026-42945 Exploited in the Wild\n\nA critical vulnerability in Nginx, a popular open-source web server software, is currently being actively exploited in the wild. The attackers are exploiting this flaw to deploy various payloads, including cryptocurrency miners and web shells.", "creation_timestamp": "2026-05-17T22:00:34.889537Z"}, {"uuid": "df73c34a-27ff-4647-8a9c-aa50e39bc8e6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/ov8QGiF5HqYZ91gUqZ_29zYcNrkRI_UuSFpZu-AKwpbwi6k", "content": "", "creation_timestamp": "2026-05-17T23:00:54.000000Z"}, {"uuid": "487326d3-ed7b-4f5f-9ccd-c2363ccf411f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/JrlfTud2cY_GC7pcFv6DCXzvbkdmCnsLa9R8ytb5OQ39Pw", "content": "", "creation_timestamp": "2026-05-17T16:02:46.000000Z"}, {"uuid": "0d7c9217-6d44-4974-806c-c26e3b9315ab", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "confirmed", "source": "https://gist.github.com/MuktadirHassan/9e4dc13c0b88e804e365cf3d2bfeadb4", "content": "#!/usr/bin/env bash\n# CVE-2026-42945 (\"NGINX Rift\") checker\n#\n# Heuristic scan for:\n#   1. NGINX version in the advisory's affected range\n#   2. Vulnerable config pattern: a rewrite directive with an unnamed\n#      capture group ($1, $2, ...) and a \"?\" in the replacement,\n#      followed by another rewrite/if/set directive in the SAME block\n#\n# Affected (per F5 advisory K000161019):\n#   NGINX Open Source: 0.6.27 through 1.30.0 (fixed in 1.30.1, 1.31.0)\n#   NGINX Plus:        R32 through R36       (fixed in R32 P6, R36 P4)\n#\n# This is a heuristic. It can miss things and it can have false\n# positives. Treat output as \"worth a closer look,\" not a verdict.\n# The only authoritative fix is to upgrade.\n#\n# Usage: sudo bash nginx-rift-check.sh\n# Exit: 0 = nothing flagged, 1 = something flagged, 2 = couldn't run\n\nset -u\n\n# ---------- gather config ----------\ntmp=$(mktemp) || { echo \"mktemp failed\" >&2; exit 2; }\ntrap 'rm -f \"$tmp\"' EXIT\n\nver_raw=\"\"\nis_plus=0\nplus_rev=\"\"\n\nif command -v nginx >/dev/null 2>&1; then\n    ver_raw=$(nginx -v 2>&1)\n    if ! nginx -T 2>/dev/null > \"$tmp\"; then\n        find /etc/nginx /usr/local/nginx/conf /opt/nginx/conf 2>/dev/null \\\n            -type f \\( -name \"*.conf\" -o -path \"*/sites-enabled/*\" -o -path \"*/conf.d/*\" \\) \\\n            -print0 2>/dev/null | xargs -0 -r cat > \"$tmp\" 2>/dev/null\n    fi\nelse\n    find /etc/nginx /usr/local/nginx/conf /opt/nginx/conf 2>/dev/null \\\n        -type f \\( -name \"*.conf\" -o -path \"*/sites-enabled/*\" -o -path \"*/conf.d/*\" \\) \\\n        -print0 2>/dev/null | xargs -0 -r cat > \"$tmp\" 2>/dev/null\nfi\n\nif [ ! -s \"$tmp\" ]; then\n    echo \"ERROR: no nginx config found and 'nginx -T' produced nothing.\" >&2\n    echo \"If nginx is under a non-standard prefix, edit the find paths.\" >&2\n    exit 2\nfi\n\n# ---------- version check ----------\noss_ver=$(printf '%s' \"$ver_raw\" | sed -nE 's#.*nginx/([0-9]+\\.[0-9]+\\.[0-9]+).*#\\1#p')\nif printf '%s' \"$ver_raw\" | grep -qi 'nginx-plus'; then\n    is_plus=1\n    plus_rev=$(printf '%s' \"$ver_raw\" | sed -nE 's#.*nginx-plus-(r[0-9]+(-p[0-9]+)?).*#\\1#ip')\nfi\n\nver_verdict=\"UNKNOWN\"\nif [ \"$is_plus\" -eq 1 ]; then\n    rnum=$(printf '%s' \"$plus_rev\" | sed -nE 's#r([0-9]+).*#\\1#ip')\n    if [ -n \"$rnum\" ] && [ \"$rnum\" -ge 32 ] && [ \"$rnum\" -le 36 ]; then\n        ver_verdict=\"AFFECTED RANGE (NGINX Plus $plus_rev \u2014 check P-level against advisory)\"\n    else\n        ver_verdict=\"not in known affected Plus range\"\n    fi\nelif [ -n \"$oss_ver\" ]; then\n    n=$(printf '%s' \"$oss_ver\" | awk -F. '{print $1*1000000+$2*1000+$3}')\n    if [ \"$n\" -ge 6027 ] && [ \"$n\" -le 1030000 ]; then\n        ver_verdict=\"AFFECTED RANGE (OSS $oss_ver)\"\n    else\n        ver_verdict=\"not in known affected OSS range (OSS $oss_ver)\"\n    fi\nfi\n\necho \"nginx version: ${oss_ver:-unknown}${is_plus:+ (Plus $plus_rev)} => $ver_verdict\"\n\n# ---------- config pattern check ----------\n# Character-by-character tokenizer that emits one statement per { } ;\n# along with the current block_id. Each new \"{\" gets a fresh block_id,\n# so sibling blocks at the same depth are distinct.\nawk '\nBEGIN { RS = \"\\0\" }   # read whole file as one record\n{\n    src = $0\n    L = length(src)\n\n    next_block_id = 1\n    depth = 0\n    stack[0] = 0      # implicit top-level block has id 0\n    buf = \"\"\n    risk = 0\n    flagged = 0\n    in_sq = 0; in_dq = 0\n    in_comment = 0\n\n    for (i = 1; i <= L; i++) {\n        c = substr(src, i, 1)\n\n        # Handle comments (outside quotes only)\n        if (in_comment) {\n            if (c == \"\\n\") in_comment = 0\n            continue\n        }\n\n        # Handle backslash escape (keep both chars in buf, so regex matches work)\n        if (c == \"\\\\\" && i < L) {\n            buf = buf c substr(src, i+1, 1)\n            i++\n            continue\n        }\n\n        # Toggle quote state\n        if (c == \"\\\"\" && !in_sq) { in_dq = !in_dq; buf = buf c; continue }\n        if (c == \"'\\''\" && !in_dq) { in_sq = !in_sq; buf = buf c; continue }\n\n        # Inside a quoted string: copy verbatim, no structural chars\n        if (in_sq || in_dq) { buf = buf c; continue }\n\n        # Start of a comment\n        if (c == \"#\") { in_comment = 1; continue }\n\n        # Structural characters\n        if (c == \"{\") {\n            check_stmt(buf, stack[depth])\n            buf = \"\"\n            depth++\n            stack[depth] = next_block_id++\n            continue\n        }\n        if (c == \"}\") {\n            check_stmt(buf, stack[depth])\n            buf = \"\"\n            delete seen[stack[depth]]\n            if (depth > 0) depth--\n            continue\n        }\n        if (c == \";\") {\n            check_stmt(buf, stack[depth])\n            buf = \"\"\n            continue\n        }\n\n        buf = buf c\n    }\n    check_stmt(buf, stack[depth])\n\n    if (flagged) {\n        print \"config pattern: POSSIBLY VULNERABLE\"\n        exit 0\n    } else if (risk) {\n        print \"config pattern: rewrite with $N + ? found, but no follow-up in same scope\"\n        exit 1\n    } else {\n        print \"config pattern: not found by heuristic\"\n        exit 1\n    }\n}\n\nfunction check_stmt(stmt, blk) {\n    gsub(/[ \\t\\r\\n]+/, \" \", stmt)\n    sub(/^ /, \"\", stmt)\n    sub(/ $/, \"\", stmt)\n    if (stmt == \"\") return\n\n    # Vulnerable rewrite?\n    # - directive is \"rewrite\"\n    # - contains at least one unnamed capture: \"(\" not followed by \"?\", not escaped\n    # - replacement contains \"?\"\n    # - uses a numbered backreference $1..$9\n    if (stmt ~ /^rewrite[ \\t]/ && \\\n        stmt ~ /\\?/ && \\\n        stmt ~ /(^|[^\\\\])\\([^?]/ && \\\n        stmt ~ /\\$[0-9]/) {\n        seen[blk] = 1\n        printf \"  [!] vulnerable rewrite (block_id=%d):\\n      %s\\n\", blk, stmt\n        risk = 1\n        return\n    }\n\n    # Follow-up directive in the same block as a prior vulnerable rewrite\n    if ((blk in seen) && stmt ~ /^(rewrite|if|set)[ \\t]/) {\n        printf \"  [!] follow-up directive in same scope (block_id=%d):\\n      %s\\n\", blk, stmt\n        flagged = 1\n    }\n}\n' \"$tmp\"\npattern_status=$?\n\n# ---------- verdict ----------\necho \"\"\nif [ \"$pattern_status\" -eq 0 ] && [[ \"$ver_verdict\" == AFFECTED* ]]; then\n    echo \"RESULT: HIGH RISK \u2014 vulnerable version AND matching config pattern.\"\n    echo \"        Upgrade nginx (OSS >= 1.30.1 / 1.31.0, Plus R32 P6 / R36 P4)\"\n    echo \"        OR replace unnamed captures (\\$1, \\$2) with named captures\"\n    echo \"        (?...) in the flagged rewrite directives.\"\n    exit 1\nelif [ \"$pattern_status\" -eq 0 ]; then\n    echo \"RESULT: config pattern matches but version not flagged.\"\n    echo \"        Double-check the F5 advisory if you're on Plus or a derivative:\"\n    echo \"        https://my.f5.com/manage/s/article/K000161019\"\n    exit 1\nelif [[ \"$ver_verdict\" == AFFECTED* ]]; then\n    echo \"RESULT: vulnerable version but no matching config pattern found.\"\n    echo \"        Still recommended: upgrade. The heuristic can miss things.\"\n    exit 1\nelse\n    echo \"RESULT: not flagged by this heuristic. Upgrading is still recommended.\"\n    exit 0\nfi", "creation_timestamp": "2026-05-16T00:21:10.000000Z"}, {"uuid": "42c15d55-12b0-4aea-bd5f-5c48484a8abe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/pvynckier.bsky.social/post/3mm4iwqaii22m", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE thehackernews.com/2026/05/ngin...", "creation_timestamp": "2026-05-18T08:55:32.475671Z"}, {"uuid": "4c6e496f-51a2-479f-acc9-5082072e15da", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/ctinow/250416", "content": "Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945\nhttps://ift.tt/SJ2p07L", "creation_timestamp": "2026-05-18T07:19:24.000000Z"}, {"uuid": "04e14604-6c6e-4e36-bd5b-a6d34cc8442e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116594758597394885", "content": "\ud83d\udea8 CRITICAL: Active exploitation of NGINX heap buffer overflow (CVE-2026-42945) in ngx_http_rewrite_module. Remote DoS on default, RCE possible if ASLR is off. Patch now! Official fix by F5. https://radar.offseq.com/threat/exploitation-of-critical-nginx-vulnerability-begin-ecd29fd7 #OffSeq #NGINX #Vuln #Patch", "creation_timestamp": "2026-05-18T09:00:30.419206Z"}, {"uuid": "5d20a368-0bbc-456c-9372-46f919819f77", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "af0120d0-3dac-4a6a-974b-a9f33d2a9846", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "https://github.com/DepthFirstDisclosures/Nginx-Rift", "content": "", "creation_timestamp": "2026-05-18T06:29:40.947938Z"}, {"uuid": "ac6dadb7-14a1-4e28-8410-9a68567c4985", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/qGdGbSqnczExwiH0BQQtEulAWpwClE1FML1f85Om1AneajcQ", "content": "", "creation_timestamp": "2026-05-18T08:37:47.000000Z"}, {"uuid": "5dfd7cb8-11d5-459b-b4d8-b44a5ff06397", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/undercodenews.bsky.social/post/3mm4edhuecb2y", "content": "NGINX Rift Sparks Alarm as Hackers Begin Exploiting Critical CVE-2026-42945 Flaw Across Internet\u00a0Infrastructure\n\nIntroduction A newly disclosed security flaw in NGINX has quickly escalated into a major cybersecurity concern after researchers confirmed active exploitation attempts in the wild. The\u2026", "creation_timestamp": "2026-05-18T07:33:08.847995Z"}, {"uuid": "58ca7b61-9a69-47dd-8d53-c81ad0e6226d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/infosecbriefly.bsky.social/post/3mm4eqweqew23", "content": "CVE-2026-42945 enables remote heap buffer overflow exploitation in NGINX rewrite, with DoS on default setups and possible RCE when ASLR is disabled.\n", "creation_timestamp": "2026-05-18T07:40:41.017205Z"}, {"uuid": "459ed830-7aae-4279-80a2-8c3fd885a4b4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mm4f6nwcpj2x", "content": "Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945", "creation_timestamp": "2026-05-18T07:48:20.631603Z"}, {"uuid": "c0a2e49f-f889-447c-aaf3-7b712070d2cb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/tomcat/statuses/116594498539615598", "content": "\ud83d\udea8 NGINX bug (CVE-2026-42945) now under active exploitation.\nCritical heap overflow in rewrite module. Attackers can crash workers with one request (possible RCE).\nPatch now if using NGINX \u22641.30.0. Check rewrite/if/set rules.\nFull details: https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html", "creation_timestamp": "2026-05-18T07:54:19.648891Z"}, {"uuid": "359a8704-8e90-4e79-926c-d5dff39bede9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/MDaDUlbZUcFJ-4rbDgSWYnTaUqaTn6tUsx9TVv7vZ36zWtP2", "content": "", "creation_timestamp": "2026-05-18T07:15:05.000000Z"}, {"uuid": "876a733f-8ed2-4922-838a-8302c00facdb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/synapsesec.bsky.social/post/3mm4fuzq2gw2s", "content": "New AI model seeps personal data from users. Researchers uncover serious flaws in data privacy across major platforms. Time to rethink your security measures. Read more: [https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html]", "creation_timestamp": "2026-05-18T08:00:50.708480Z"}, {"uuid": "d0682f16-e123-4fdf-8b88-4a16b4a75a26", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/shiojiri.com/post/3mm4h5hz5e2zy", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html", "creation_timestamp": "2026-05-18T08:23:45.459923Z"}, {"uuid": "0e289e86-7ea4-45b2-8146-e887ec04a5dd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/shiojiri.com/post/3mm4h7nfzpkzy", "content": "Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945 https://securityaffairs.com/192289/uncategorized/experts-warn-of-active-exploitation-of-critical-nginx-flaw-cve-2026-42945.html", "creation_timestamp": "2026-05-18T08:24:42.999559Z"}, {"uuid": "b7972d34-26d9-4109-a91f-7685d981cfea", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hacker.at.thenote.app/post/3mm4oluxeg22g", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE\n\nA newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck.\nThe vulnerability, tra\u2026\n#hackernews #news", "creation_timestamp": "2026-05-18T10:36:48.118909Z"}, {"uuid": "16c31352-c8d3-4371-94c2-d448f4d3cec4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/blackhatnews.tokyo/post/3mm4mnutfdy2m", "content": "\u30cf\u30c3\u30ab\u30fc\u304c\u672c\u756a\u74b0\u5883\u3067\u91cd\u5927\u306aNGINX RCE\u8106\u5f31\u6027\u3092\u60aa\u7528\n\nF5 NGINX\u306e\u91cd\u5927\u306a\u30d2\u30fc\u30d7\u30d0\u30c3\u30d5\u30a1\u30aa\u30fc\u30d0\u30fc\u30d5\u30ed\u30fc\u8106\u5f31\u6027\uff08CVE-2026-42945\uff09\u306f\u3001\u516c\u958b\u304b\u3089\u308f\u305a\u304b3\u65e5\u3067\u5b9f\u969b\u306e\u60aa\u7528\u306b\u767a\u5c55\u3057\u3001\u307b\u3068\u3093\u3069\u306e\u7d44\u7e54\u304c\u30d1\u30c3\u30c1\u3092\u9069\u7528\u3059\u308b\u6642\u9593\u3092\u78ba\u4fdd\u3059\u308b\u524d\u306b\u3001\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f\u3059\u3067\u306b\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u516c\u958b\u30b5\u30fc\u30d0\u30fc\u3092\u6a19\u7684\u306b\u3057\u3066\u3044\u307e\u3059\u3002 \u300cNGINX Rift\u300d\u3068\u547c\u3070\u308c\u308bCVE-2026-42945\u306f", "creation_timestamp": "2026-05-18T10:02:07.053129Z"}, {"uuid": "175b90d1-a0d2-44af-8f22-2c7576f6ea06", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/news.humancoders.com/post/3mm4pvwwtr522", "content": "Nginx RIFT (CVE-2026-42945) : comprendre la faille vieille de 18 ans ", "creation_timestamp": "2026-05-18T11:00:20.166328Z"}, {"uuid": "bc9b72bf-4fbd-4ac9-8413-8851a530cbea", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/undercodenews.bsky.social/post/3mm4qgfxj252i", "content": "NGINX Rift: Critical F5 NGINX Vulnerability Exploited Within Days as Millions of Servers Face Attack\u00a0Risk\n\nIntroduction A newly disclosed vulnerability affecting F5 NGINX has rapidly escalated into a major cybersecurity emergency. Tracked as CVE-2026-42945 and now widely referred to as \u201cNGINX\u2026", "creation_timestamp": "2026-05-18T11:09:32.628007Z"}, {"uuid": "3f9cc5f0-4061-4fa0-8d56-a5a14eb1d672", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/true_secator/8212", "content": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0430\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c NGINX \u043e\u0431\u0437\u0430\u0432\u0435\u043b\u0430\u0441\u044c \u043e\u0431\u0449\u0435\u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u043c PoC \u0438 \u0442\u0435\u043f\u0435\u0440\u044c \u0430\u043a\u0442\u0438\u0432\u043d\u043e \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u043a\u0438\u0431\u0435\u0440\u043f\u043e\u0434\u043f\u043e\u043b\u044c\u0435\u043c, \u043e \u0447\u0435\u043c \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0430\u0435\u0442 VulnCheck, \u0437\u0430\u043c\u0435\u0442\u0438\u0432\u0448\u0430\u044f \u043f\u0435\u0440\u0432\u044b\u0435 \u0440\u0435\u0430\u043b\u044c\u043d\u044b\u0435 \u0430\u0442\u0430\u043a\u0438 \u0432 \u0432\u044b\u0445\u043e\u0434\u043d\u044b\u0435 \u0434\u043d\u0438.\n\nCVE-2026-42945 (CVSS 9.2) \u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0432\u0448\u0430\u044f \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 Nginx Rift, \u043e\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u043a\u0430\u043a \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0431\u0443\u0444\u0435\u0440\u0430 \u0432 \u043a\u0443\u0447\u0435 \u0432 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0435 ngx_http_rewrite_module \u0438 \u0441\u043a\u0440\u044b\u0432\u0430\u043b\u0430\u0441\u044c \u0432 \u043a\u043e\u0434\u0435 NGINX \u0432 \u0442\u0435\u0447\u0435\u043d\u0438\u0435 16 \u043b\u0435\u0442.\n\n\u041e\u043d\u0430 \u043f\u0440\u0438\u0432\u043e\u0434\u0438\u0442 \u043a DoS \u043f\u0440\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0438 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0439 \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e \u0438 \u043a RCE, \u0435\u0441\u043b\u0438 ASLR \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d. F5\u00a0\u0443\u0441\u0442\u0440\u0430\u043d\u0438\u043b\u0430 \u0435\u0435 \u0432 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 NGINX Plus 37.0.0, R36 P4 \u0438 R32 P6, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0432 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 NGINX \u0441 \u043e\u0442\u043a\u0440\u044b\u0442\u044b\u043c \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u043c \u043a\u043e\u0434\u043e\u043c 1.31.0 \u0438 1.30.1.\n\n\u0412\u0441\u043a\u043e\u0440\u0435 \u043f\u043e\u0441\u043b\u0435 \u0442\u043e\u0433\u043e, \u043a\u0430\u043a\u00a0F5 \u0432\u044b\u043f\u0443\u0441\u0442\u0438\u043b\u0430 \u043f\u0430\u0442\u0447\u0438 Depthfirst \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043b\u0430 \u0442\u0435\u0445\u043d\u0438\u0447\u0435\u0441\u043a\u0438\u0435 \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0441\u0442\u0438 \u0438 \u0434\u0435\u043c\u043e\u043d\u0441\u0442\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0439 PoC, \u043d\u0430\u0446\u0435\u043b\u0435\u043d\u043d\u044b\u0439 \u043d\u0430 \u044d\u0442\u0443 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c. \u0422\u0435\u043f\u0435\u0440\u044c, \u043f\u043e \u0434\u0430\u043d\u043d\u044b\u043c VulnCheck, \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0438 \u0443\u0436\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442 \u044d\u0442\u0443 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432 \u0441\u0432\u043e\u0438\u0445 \u0430\u0442\u0430\u043a\u0430\u0445.\n\n\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u0437\u0430\u0434\u0435\u0442\u0435\u043a\u0442\u0438\u043b\u0438 \u0430\u043a\u0442\u0438\u0432\u043d\u0443\u044e \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044e CVE-2026-42945 \u0432 F5 NGINX \u043d\u0430 \u0442\u0435\u0441\u0442\u043e\u0432\u044b\u0445 \u043e\u0431\u0440\u0430\u0437\u0446\u0430\u0445 VulnCheck \u0432\u0441\u0435\u0433\u043e \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0434\u043d\u0435\u0439 \u043f\u043e\u0441\u043b\u0435 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e\u0431 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438.\n\n\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043e\u0431\u0443\u0441\u043b\u043e\u0432\u043b\u0435\u043d\u0430 \u0442\u0435\u043c, \u0447\u0442\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u043e\u0432\u044b\u0439 \u0434\u0432\u0438\u0436\u043e\u043a \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u0434\u0432\u0443\u0445\u044d\u0442\u0430\u043f\u043d\u044b\u0439 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 \u0434\u043b\u044f \u0432\u044b\u0447\u0438\u0441\u043b\u0435\u043d\u0438\u044f \u0440\u0430\u0437\u043c\u0435\u0440\u0430 \u0431\u0443\u0444\u0435\u0440\u0430 \u0438 \u043a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0432 \u043d\u0435\u0433\u043e \u0434\u0430\u043d\u043d\u044b\u0445, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0438\u0437-\u0437\u0430 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0435\u0433\u043e \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u044f \u0434\u0432\u0438\u0436\u043a\u0430 \u043c\u0435\u0436\u0434\u0443 \u044d\u0442\u0438\u043c\u0438 \u044d\u0442\u0430\u043f\u0430\u043c\u0438. \u0412 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u044b\u0445 \u0443\u0441\u043b\u043e\u0432\u0438\u044f\u0445 \u043d\u0435\u0440\u0430\u0441\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u043d\u044b\u0439 \u0444\u043b\u0430\u0433 \u043f\u0440\u0438\u0432\u043e\u0434\u0438\u0442 \u043a \u0437\u0430\u043f\u0438\u0441\u0438 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0445 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u043e\u043c \u0434\u0430\u043d\u043d\u044b\u0445 \u0437\u0430 \u043f\u0440\u0435\u0434\u0435\u043b\u044b \u043a\u0443\u0447\u0438.\n\n\u0412 \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u0445 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f\u0445 \u0443\u0441\u043f\u0435\u0448\u043d\u0430\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f CVE \u043f\u0440\u0438\u0432\u0435\u0434\u0435\u0442 \u043a \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u043a\u0443 \u0441\u0435\u0440\u0432\u0435\u0440\u0430, \u0432\u044b\u0437\u044b\u0432\u0430\u044f DoS. \u0415\u0441\u043b\u0438 \u0440\u0430\u043d\u0434\u043e\u043c\u0438\u0437\u0430\u0446\u0438\u044f \u0440\u0430\u0441\u043f\u043e\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u0430\u0434\u0440\u0435\u0441\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0441\u0442\u0432\u0430 (ASLR) \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u0430, \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a RCE.\n\n\u041a\u0430\u043a \u043e\u0442\u043c\u0435\u0447\u0430\u0435\u0442 VulnCheck, \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0431\u0435\u0437 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438, \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 HTTP-\u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432, \u043d\u043e \u0434\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0451\u043d\u043d\u0430\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f\u00a0\u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0438\u0441\u0438.\n\n\u0425\u043e\u0442\u044f \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u0441\u0431\u043e\u0439 \u0432 \u0440\u0430\u0431\u043e\u0447\u0435\u043c \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0435 NGINX \u0434\u043e\u0432\u043e\u043b\u044c\u043d\u043e \u043f\u0440\u043e\u0441\u0442\u043e \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043e\u0434\u043d\u043e\u0433\u043e \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u0437\u0430\u043f\u0440\u043e\u0441\u0430, \u0434\u043e\u0431\u0438\u0442\u044c\u0441\u044f \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043a\u043e\u0434\u0430 \u0441\u043b\u043e\u0436\u043d\u0435\u0435, \u043f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 \u0432 \u0431\u043e\u043b\u044c\u0448\u0438\u043d\u0441\u0442\u0432\u0435 \u0440\u0430\u0437\u0432\u0435\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u0439 ASLR \u0432\u043a\u043b\u044e\u0447\u0435\u043d \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e.\n\n\u041f\u0440\u0438 \u044d\u0442\u043e\u043c Censys \u043f\u043e\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442 \u043f\u0440\u0438\u043c\u0435\u0440\u043d\u043e 5,7 \u043c\u043b\u043d \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432 NGINX, \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u044b\u0445 \u043a \u0438\u043d\u0442\u0435\u0440\u043d\u0435\u0442\u0443 \u0438 \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0449\u0438\u0445 \u043f\u043e\u0434 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u043e\u0434\u043d\u0430\u043a\u043e \u0440\u0435\u0430\u043b\u044c\u043d\u043e \u0443\u044f\u0437\u0432\u0438\u043c\u0430\u044f \u0433\u0440\u0443\u043f\u043f\u0430, \u0432\u0435\u0440\u043e\u044f\u0442\u043d\u043e, \u0432\u0441\u0435 \u0436\u0435 \u0437\u043d\u0430\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u043c\u0435\u043d\u044c\u0448\u0435, \u043a\u0430\u043a \u043f\u043e\u043b\u0430\u0433\u0430\u044e\u0442 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438.\n\n\u0422\u0435\u043c \u043d\u0435 \u043c\u0435\u043d\u0435\u0435, \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u043f\u043e\u043b\u0430\u0433\u0430\u044e\u0442, \u0447\u0442\u043e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0442\u0440\u0435\u0431\u0443\u0435\u0442 \u0441\u0440\u043e\u0447\u043d\u043e\u0433\u043e \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u044f \u0438 \u0441\u043b\u0435\u0434\u0443\u0435\u0442 \u0433\u043e\u0442\u043e\u0432\u0438\u0442\u044c\u0441\u044f \u043a \u0431\u043e\u043b\u0435\u0435 \u043c\u0430\u0441\u0448\u0442\u0430\u0431\u043d\u044b\u043c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f\u043c, \u043e\u0441\u043e\u0431\u0435\u043d\u043d\u043e \u0443\u0447\u0438\u0442\u044b\u0432\u0430\u044f, \u0447\u0442\u043e \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u044b\u0439 PoC \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d \u0434\u043b\u044f \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f ASLR \u0438 \u0434\u043e\u0441\u0442\u0438\u0436\u0435\u043d\u0438\u044f RCE.", "creation_timestamp": "2026-05-18T11:00:08.000000Z"}, {"uuid": "a4d401c5-9aa8-47c9-b3b5-3b8ea4f36ad6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/samilaiho.com/post/3mm544bayic2q", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and\nPossible RCE\nthehackernews.com/2026/05/ngin...", "creation_timestamp": "2026-05-18T14:38:42.845363Z"}, {"uuid": "6bbb8e26-b68b-4cab-af77-a3b35f8fde44", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://mastodon.social/ap/users/115426718704364579/statuses/116596284383043011", "content": "\ud83d\udcf0 Critical 18-Year-Old 'NGINX Rift' Vulnerability (CVE-2026-42945) Under Active Attack\n\ud83d\udea8 CRITICAL NGINX FLAW! An 18-year-old bug 'NGINX Rift' (CVE-2026-42945) is actively exploited for DoS & RCE. Affects millions of web servers. Patch immediately! #NGINX #CVE #Infosec #PatchNow\n\ud83c\udf10 cyber[.]netsecops[.]io\n\ud83d\udd17 https://cyber.netsecops.io/articles/nginx-rift-critical-vulnerability-cve-2026-42945-active-exploitation/?utm_source=mastodon&utm_medium=social&utm_campaign=daily", "creation_timestamp": "2026-05-18T15:28:30.548490Z"}, {"uuid": "95f5ce40-2df2-4f21-9351-ff0f2b82d29c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/patrickcmiller.bsky.social/post/3mm52mrofrj2u", "content": "Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945 securityaffairs.com/192289/uncat...", "creation_timestamp": "2026-05-18T14:12:28.883834Z"}, {"uuid": "5be53e08-2b56-4fab-bc9a-0c44ee14cffe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/patrickcmiller/statuses/116595983713606947", "content": "Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945 https://securityaffairs.com/192289/uncategorized/experts-warn-of-active-exploitation-of-critical-nginx-flaw-cve-2026-42945.html", "creation_timestamp": "2026-05-18T14:12:53.893236Z"}, {"uuid": "e2091eac-c8b0-43c4-bd7a-a7a6821142b6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/securityrss.bsky.social/post/3mm52rzxfnh27", "content": "A critical vulnerability, CVE-2026-42945 (CVSS 9.2), in NGINX Plus and Open, allows unauthenticated attackers to crash worker processes or potentially execute remote code if ASLR is disabled. Exploitation attempts have been detected. Users are urged to apply F5's latest fixes.", "creation_timestamp": "2026-05-18T14:16:27.074164Z"}, {"uuid": "cc7dbcc3-0cf5-4d89-872d-1855ba3cbc96", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://gist.github.com/stone776/ee5e28a52f7d95e7f2d58cb525abdce0", "content": "\n\n\n    \n    \n    TARDIS Intelligence Briefing -- 2026-05-19\n    \n    \n        *, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }\n\n        :root {\n            --tardis-deep: #020b18;\n            --tardis-dark: #061627;\n            --tardis-mid: #0c2240;\n            --tardis-surface: #0f2a4a;\n            --tardis-panel: #132f52;\n            --tardis-edge: #1a3d66;\n            --tardis-blue: #1e6fba;\n            --tardis-blue-bright: #3498db;\n            --tardis-blue-glow: rgba(52, 152, 219, 0.15);\n            --tardis-gold: #f4c430;\n            --tardis-gold-dim: rgba(244, 196, 48, 0.12);\n            --tardis-amber: #e89e2d;\n            --tardis-green: #50c878;\n            --tardis-green-soft: rgba(80, 200, 120, 0.12);\n            --tardis-red: #e74c3c;\n            --tardis-text: #c8dce8;\n            --tardis-text-dim: #7a9ab8;\n            --tardis-text-muted: #4a6a85;\n        }\n\n        body {\n            background: var(--tardis-deep);\n            color: var(--tardis-text);\n            font-family: 'Rajdhani', sans-serif;\n            font-weight: 400;\n            min-height: 100vh;\n            line-height: 1.55;\n        }\n\n        ::-webkit-scrollbar { width: 5px; }\n        ::-webkit-scrollbar-track { background: var(--tardis-deep); }\n        ::-webkit-scrollbar-thumb { background: var(--tardis-edge); border-radius: 3px; }\n\n        .console-header {\n            background: var(--tardis-dark);\n            border-bottom: 2px solid var(--tardis-blue);\n            padding: 16px 36px;\n            display: flex;\n            align-items: center;\n            justify-content: space-between;\n            position: relative;\n            overflow: hidden;\n        }\n\n        .console-header::before {\n            content: '';\n            position: absolute;\n            top: 0; left: 0; right: 0;\n            height: 2px;\n            background: linear-gradient(90deg, transparent 0%, var(--tardis-blue-bright) 30%, var(--tardis-gold) 50%, var(--tardis-blue-bright) 70%, transparent 100%);\n        }\n\n        .console-brand { display: flex; align-items: center; gap: 14px; }\n\n        .tardis-icon {\n            width: 38px; height: 38px;\n            border: 2px solid var(--tardis-blue);\n            border-radius: 4px;\n            display: flex; align-items: center; justify-content: center;\n            background: var(--tardis-mid);\n            flex-shrink: 0;\n        }\n\n        .tardis-icon::before {\n            content: '';\n            width: 10px; height: 10px;\n            background: var(--tardis-gold);\n            border-radius: 50%;\n        }\n\n        .console-title-block { display: flex; flex-direction: column; gap: 2px; }\n\n        .console-title {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 1.05em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.14em;\n            color: var(--tardis-gold);\n        }\n\n        .console-subtitle {\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 0.7em; color: var(--tardis-text-dim);\n            text-transform: uppercase; letter-spacing: 0.18em;\n        }\n\n        .console-readout { display: flex; align-items: center; gap: 24px; }\n\n        .readout-date {\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 1.1em; color: var(--tardis-gold); letter-spacing: 0.06em;\n        }\n\n        .readout-classification {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.62em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.12em;\n            color: var(--tardis-text-dim);\n            background: var(--tardis-mid);\n            border: 1px solid var(--tardis-edge);\n            padding: 5px 14px; border-radius: 3px;\n        }\n\n        .weather-readout {\n            font-family: 'Share Tech Mono', monospace;\n            color: var(--tardis-text-dim); font-size: 0.85rem; letter-spacing: 0.5px;\n        }\n\n        .page-layout {\n            display: grid;\n            grid-template-columns: 200px 1fr;\n            min-height: calc(100vh - 74px);\n        }\n\n        .nav-sidebar {\n            background: var(--tardis-dark);\n            border-right: 1px solid var(--tardis-edge);\n            padding: 28px 0;\n            position: sticky; top: 0;\n            height: calc(100vh - 74px);\n            overflow-y: auto;\n        }\n\n        .nav-sidebar::-webkit-scrollbar { width: 3px; }\n        .nav-sidebar::-webkit-scrollbar-thumb { background: var(--tardis-edge); }\n\n        .nav-label {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.58em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.2em;\n            color: var(--tardis-text-muted);\n            padding: 0 20px 12px;\n        }\n\n        .nav-item {\n            display: flex; align-items: center; gap: 10px;\n            padding: 9px 20px;\n            cursor: pointer;\n            border-left: 3px solid transparent;\n            text-decoration: none;\n            color: var(--tardis-text-dim);\n            font-family: 'Rajdhani', sans-serif;\n            font-size: 0.85em; font-weight: 500; line-height: 1.2;\n        }\n\n        .nav-item:hover {\n            color: var(--tardis-text);\n            background: var(--tardis-mid);\n            border-left-color: var(--tardis-blue-bright);\n        }\n\n        .nav-num {\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 0.78em; color: var(--tardis-text-muted);\n            width: 18px; text-align: right; flex-shrink: 0;\n        }\n\n        .nav-divider { height: 1px; background: var(--tardis-edge); margin: 12px 20px; }\n\n        .main-content { padding: 32px 40px 60px; max-width: 900px; }\n\n        .section-chrome {\n            border: 1px solid var(--tardis-edge);\n            border-radius: 6px; overflow: hidden;\n            background: var(--tardis-dark);\n            margin-bottom: 28px;\n        }\n\n        .section-chrome-header {\n            background: var(--tardis-mid);\n            padding: 11px 18px;\n            display: flex; align-items: center; justify-content: space-between;\n            border-bottom: 1px solid var(--tardis-edge);\n        }\n\n        .section-chrome-label {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.68em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.16em;\n            color: var(--tardis-text);\n            display: flex; align-items: center; gap: 9px;\n        }\n\n        .label-indicator {\n            width: 7px; height: 7px;\n            border-radius: 50%; background: var(--tardis-green); flex-shrink: 0;\n        }\n        .label-indicator.gold { background: var(--tardis-gold); }\n        .label-indicator.blue { background: var(--tardis-blue-bright); }\n        .label-indicator.red { background: var(--tardis-red); }\n        .label-indicator.amber { background: var(--tardis-amber); }\n\n        .section-chrome-badge {\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 0.72em; color: var(--tardis-text-dim);\n            background: var(--tardis-dark);\n            padding: 2px 9px; border-radius: 3px;\n            border: 1px solid var(--tardis-edge);\n        }\n\n        .section-chrome-body { padding: 22px 24px; }\n\n        .bluf-block {\n            border-left: 3px solid var(--tardis-gold);\n            background: var(--tardis-gold-dim);\n            padding: 12px 16px; margin-bottom: 18px;\n            border-radius: 0 4px 4px 0;\n        }\n\n        .bluf-label {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.58em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.2em;\n            color: var(--tardis-gold); margin-bottom: 5px;\n        }\n\n        .bluf-text {\n            font-family: 'Rajdhani', sans-serif;\n            font-size: 1.05em; font-weight: 600;\n            color: var(--tardis-text); line-height: 1.4;\n        }\n\n        .fact-list { list-style: none; margin-bottom: 16px; }\n\n        .fact-list li {\n            font-size: 0.97em; font-weight: 500;\n            color: var(--tardis-text);\n            padding: 5px 0 5px 18px;\n            position: relative; line-height: 1.45;\n            border-bottom: 1px solid rgba(26, 61, 102, 0.35);\n        }\n\n        .fact-list li:last-child { border-bottom: none; }\n\n        .fact-list li::before {\n            content: '';\n            position: absolute; left: 0; top: 13px;\n            width: 6px; height: 6px;\n            border: 1px solid var(--tardis-blue-bright);\n            border-radius: 1px; transform: rotate(45deg);\n        }\n\n        .fact-list .source-tag {\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 0.78em; color: var(--tardis-text-muted); font-weight: 400;\n        }\n\n        .context-block {\n            background: var(--tardis-surface);\n            border: 1px solid var(--tardis-edge);\n            border-radius: 4px; padding: 12px 16px; margin-bottom: 14px;\n        }\n\n        .context-label {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.58em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.18em;\n            color: var(--tardis-text-muted); margin-bottom: 6px;\n        }\n\n        .context-text {\n            font-family: 'Rajdhani', sans-serif;\n            font-size: 0.93em; color: var(--tardis-text-dim); line-height: 1.5;\n        }\n\n        .open-questions { margin-top: 12px; }\n\n        .open-questions-label {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.58em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.18em;\n            color: var(--tardis-text-muted); margin-bottom: 7px;\n        }\n\n        .open-questions ul { list-style: none; }\n\n        .open-questions li {\n            font-family: 'Rajdhani', sans-serif;\n            font-size: 0.9em; color: var(--tardis-text-dim);\n            font-style: italic; padding: 3px 0 3px 14px; position: relative;\n        }\n\n        .open-questions li::before {\n            content: '?';\n            position: absolute; left: 0;\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 0.85em; color: var(--tardis-amber); font-style: normal;\n        }\n\n        .data-table-wrap { overflow-x: auto; margin-bottom: 16px; }\n\n        table { width: 100%; border-collapse: collapse; font-size: 0.9em; }\n\n        thead { background: var(--tardis-surface); }\n\n        th {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.62em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.12em;\n            color: var(--tardis-text-dim);\n            padding: 9px 14px; text-align: left;\n            border-bottom: 1px solid var(--tardis-edge);\n            white-space: nowrap;\n        }\n\n        td {\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 0.88em; color: var(--tardis-text);\n            padding: 8px 14px;\n            border-bottom: 1px solid rgba(26, 61, 102, 0.4);\n            line-height: 1.35;\n        }\n\n        td.label-cell {\n            font-family: 'Rajdhani', sans-serif;\n            font-size: 0.93em; font-weight: 600; color: var(--tardis-text-dim);\n        }\n\n        td.positive { color: var(--tardis-green); }\n        td.negative { color: var(--tardis-red); }\n        td.neutral { color: var(--tardis-text-muted); }\n\n        tr:hover td { background: rgba(12, 34, 64, 0.5); }\n\n        .kev-block {\n            background: rgba(231, 76, 60, 0.07);\n            border: 1px solid rgba(231, 76, 60, 0.25);\n            border-radius: 4px; padding: 12px 16px; margin-bottom: 14px;\n        }\n\n        .kev-label {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.6em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.18em;\n            color: var(--tardis-red); margin-bottom: 8px;\n        }\n\n        .kev-entry {\n            font-family: 'Rajdhani', sans-serif;\n            font-size: 0.93em; color: var(--tardis-text);\n            padding: 4px 0;\n            border-bottom: 1px solid rgba(231, 76, 60, 0.15);\n            line-height: 1.4;\n        }\n\n        .kev-entry:last-child { border-bottom: none; }\n        .kev-cve { font-family: 'Share Tech Mono', monospace; font-size: 0.88em; color: var(--tardis-red); }\n\n        .kev-none {\n            font-family: 'Rajdhani', sans-serif;\n            font-size: 0.93em; color: var(--tardis-text-muted); font-style: italic;\n        }\n\n        .analysis-chrome {\n            border: 1px solid var(--tardis-gold);\n            border-radius: 6px; overflow: hidden;\n            background: var(--tardis-dark); margin-bottom: 28px;\n        }\n\n        .analysis-chrome .section-chrome-header {\n            background: var(--tardis-gold-dim);\n            border-bottom-color: rgba(244, 196, 48, 0.25);\n        }\n\n        .analysis-subsection { margin-bottom: 18px; }\n        .analysis-subsection:last-child { margin-bottom: 0; }\n\n        .analysis-sublabel {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.62em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.16em;\n            color: var(--tardis-gold); margin-bottom: 8px;\n            padding-bottom: 4px;\n            border-bottom: 1px solid rgba(244, 196, 48, 0.2);\n        }\n\n        .metadata-footer {\n            background: var(--tardis-dark);\n            border-top: 1px solid var(--tardis-edge);\n            padding: 18px 40px; margin-top: 8px;\n        }\n\n        .metadata-grid { display: flex; flex-wrap: wrap; gap: 20px 36px; }\n\n        .metadata-item { display: flex; flex-direction: column; gap: 2px; }\n\n        .metadata-key {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.55em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.18em;\n            color: var(--tardis-text-muted);\n        }\n\n        .metadata-value {\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 0.82em; color: var(--tardis-text-dim);\n        }\n    \n\n\n\n\n\n    \n\n        \n\n        \n\n            \nIntelligence Briefing\n            \nOSINT-First / IC Editorial Standards / CLAUDE Synthesis\n        \n    \n    \n\n        \n2026-05-19 \u00b7 Tuesday\n        \nOSINT Only\n        \nPartly Cloudy \u00b7 High 70.6\u00b0F / Low 51.9\u00b0F \u00b7 San Diego\n    \n\n\n\n\n    \n\n        \nSections\n        01AI Research\n        02Merlin Intelligence\n        03Military / Geo\n        04US News\n        05Economic\n        06Technology\n        07Cybersecurity\n        \n\n        13Analysis\n    \n\n    \n\n\n\n  \n\n    \n\n      \n      AI Research\n    \n    \nS1 \u00b7 ARXIV + LAB FEEDS\n  \n  \n\n\n    \n\n      \nBLUF\n      \nThree fresh papers address the agentic architecture layer directly: code-structured agent harnesses, skill generation quality benchmarking, and opportunistic parallelism in compound AI. A position paper challenges the single-judge safety assumption. All four have near-term implementation relevance.\n    \n\n    \n    \nCode as Agent Harness \u2014 Structured Dispatch Outperforms Prose Delegation\n    \n\n      \nLLMs orchestrating multi-step tasks achieve higher success rates when delegation is framed as code execution rather than natural-language instruction. The harness enforces sequencing, error capture, and retry logic. [ArXiv 2605.18747 \u00b7 2026-05-18]\n      \nKey finding: structured code harnesses reduce tool-skip hallucinations and out-of-order completions in multi-agent pipelines \u2014 the dominant failure mode in current orchestration systems.\n      \nImplementation path: wrap child agent dispatch in generated Python with typed inputs, structured error returns, and explicit blackboard write-backs rather than conversational handoffs.\n    \n    \n\n      \nOpen Questions\n      \n\n        \nDoes the harness pattern require the orchestrator model to be reliable at code generation, or does it work with structured templates the model fills in?\n      \n    \n\n    \n    \nSkillGenBench \u2014 Skill Generation Pipelines Require Held-Out Validation to Avoid Brittleness\n    \n\n      \nBenchmarks skill generation pipelines across generalizability, executability, and improvement rate. Pipelines that include a validation step \u2014 running generated skills against at least one held-out test before commit \u2014 show 2\u20133x fewer brittle skills in production. [ArXiv 2605.18693 \u00b7 2026-05-18]\n      \nCurrent Merlin Evolver loop lacks a structured pre-commit validation gate. This paper quantifies the cost of that gap.\n      \nPaper includes open-source benchmark harness applicable to any SKILL.md-style system.\n    \n\n    \n    \nPopPy \u2014 Implicit Parallelism in Compound AI Applications Extracted at Runtime\n    \n\n      \nDemonstrates that compound AI applications written in sequential Python contain substantial latent parallelism that a runtime can extract without programmer annotation. Mean 2.1x throughput improvement on representative workloads. [ArXiv 2605.18697 \u00b7 2026-05-18]\n      \nApplicable to Merlin's orchestrator multi-child dispatch: sequential agent calls that are data-independent can be parallelized by the runtime rather than requiring explicit async orchestration.\n      \nImplementation approach: introduce a PopPy-style dependency graph at the orchestrator level, letting the blackboard schema define data dependencies that constrain parallelism.\n    \n\n    \n    \nThree-Layer Safety Architecture \u2014 Single Judge Is Categorically Insufficient for LLM Agents\n    \n\n      \nPosition paper with probabilistic analysis argues that a single abstraction layer for LLM agent safety cannot distinguish confident-correct from confident-wrong from adversarially-manipulated outputs. A structurally independent second layer with different evidence basis is required. [ArXiv 2605.18672 \u00b7 2026-05-18]\n      \nDirect implication for Merlin: the Judge operating on agent self-reported output alone is insufficient. An Auditor using OTel span data \u2014 verifying that agents actually called the tools they claim to have called \u2014 constitutes an independent evidence basis and satisfies the paper's architectural requirement.\n      \nThe paper's three layers map to: (1) agent self-reporting, (2) external auditor with different evidence, (3) structural constraints in the environment (blackboard schema, tool permissions).\n    \n    \n\n      \nContext\n      \nAll four papers appeared May 18, 2026. ArXiv rotation window 9 (historical: March 10\u201317, 2026). No historical papers met the significance threshold for this window.\n    \n\n  \n\n\n\n\n  \n\n    \n\n      \n      Merlin Intelligence\n    \n    \nS2 \u00b7 FACTORY-INTERNAL\n  \n  \n\n\n    \n\n      \nBLUF\n      \nToday's ArXiv papers collectively close a loop Merlin hasn't yet closed: code-as-harness for agent dispatch, skill quality benchmarking, and the structural argument that a single Judge layer is insufficient for safe agent operation. The 314-npm supply chain attack adds an immediate operational action item: audit and pin all dependencies in the OpenHands container image.\n    \n\n    \n\n      \nFinding 1 \u2014 Code as Agent Harness [2605.18747] \u00b7 Orchestrator Dispatch Pattern\n      \n\n        What it shows: LLMs orchestrating multi-step tasks achieve substantially higher success rates when they frame subproblem delegation as code execution rather than conversational instruction \u2014 the harness structure enforces sequencing, error capture, and retry logic that prose prompts do not. [ArXiv 2605.18747]\n      \n      \n\n        Merlin component: Orchestrator child agent dispatch via AgentDelegateAction. Currently the orchestrator passes prose skill instructions. This paper argues that wrapping the delegation in a code harness \u2014 with explicit control flow, typed inputs, and structured error returns \u2014 reduces hallucinated skips and out-of-order completions.\n      \n      \n\n        Implementation idea: Replace the prose-instruction delegate pattern with a generated Python scaffold that calls child agents as functions, captures return values onto the blackboard, and handles failures with typed exceptions. The orchestrator generates this harness; the harness runs in OpenHands.\n      \n      \nBuild priority: [HIGH] \u2014 directly addresses the \"agents skip tools\" failure mode visible in OpenHands UI. Zero Golden Rule violations.\n    \n\n    \n\n      \nFinding 2 \u2014 SkillGenBench [2605.18693] \u00b7 SKILL.md Pipeline Quality\n      \n\n        What it shows: The paper benchmarks skill generation pipelines for LLM agents across three dimensions: generalizability (does the skill transfer to new tasks?), executability (does it run without errors?), and improvement rate (does Evolver produce better skills over iterations?). Key finding: pipelines that include a structured validation step \u2014 running the generated skill against at least one held-out test case before committing \u2014 show 2-3x fewer brittle skills in production. [ArXiv 2605.18693]\n      \n      \n\n        Merlin component: Evolver (SKILL.md evolution loop). Merlin currently lacks a structured validation gate between Evolver output and SKILL.md commit.\n      \n      \n\n        Implementation idea: Add a post-generation validation step to the Evolver loop: generate a synthetic test case from the skill's stated purpose, run the new skill against it in a sandboxed OpenHands session, and require a confidence \u226592 pass before committing to SKILL.md. Failed validations feed back as examples to the next Evolver iteration.\n      \n      \nBuild priority: [MEDIUM] \u2014 valuable for Phase 1 closure but not a current blocker. Plan for next sprint.\n    \n\n    \n\n      \nFinding 3 \u2014 Three-Layer Safety [2605.18672] \u00b7 Judge/Auditor Architecture\n      \n\n        What it shows: This position paper argues \u2014 with probabilistic analysis \u2014 that enforcing LLM agent safety within a single abstraction layer is categorically insufficient, not merely suboptimal. The argument: a single Judge operating on agent output cannot distinguish between confident-correct, confident-wrong, and adversarially-manipulated outputs. A second independent layer with a different evidence basis is structurally required. [ArXiv 2605.18672]\n      \n      \n\n        Merlin component: Judge/Auditor verification loop. Merlin uses a single Judge with confidence \u226592 threshold. This paper is a direct challenge to whether that's sufficient.\n      \n      \n\n        Implementation idea: Add an independent Auditor layer that evaluates Judge outputs using a different evidence basis \u2014 specifically, checking OTel span data (did the agent actually call the tools the Judge claims it called?) rather than relying solely on the agent's self-reported output. This is effectively already in the Merlin roadmap; this paper makes the case for prioritizing it.\n      \n      \nBuild priority: [HIGH] \u2014 architectural gap with probabilistic safety implications. The OTel-based auditor is the right implementation and aligns with Golden Rule 2 (Pervasive OTel).\n    \n\n    \n\n      \nFinding 4 \u2014 314 npm Supply Chain Attack \u00b7 Operational Action\n      \n\n        What it shows: 314 npm packages compromised in an active supply chain attack. Attack vector and specific packages not yet disclosed at time of collection. [HackerNews, May 19]\n      \n      \n\n        Merlin component: OpenHands Docker image and any Node.js tooling in the build pipeline. The Merlin factory uses npm for frontend tooling and potentially for generated product scaffolding.\n      \n      \n\n        Implementation idea: Immediate: run npm audit on the OpenHands container image and any Merlin scaffolding packages. Pin all npm dependencies to exact versions with hashed integrity checks in package-lock.json. Consider switching to a private npm mirror with pre-vetted package snapshots for production builds.\n      \n      \nBuild priority: [HIGH] \u2014 operational, not research. Do this before the next factory run.\n    \n\n    \n\n      \nOpen Questions\n      \n\n        \nDoes the code-as-harness pattern require OpenHands to support programmatic error-return capture, or can this be layered above via the blackboard schema?\n        \nIf the three-layer safety argument is correct, what is the minimum independent evidence basis for an Auditor that doesn't double the per-task LLM cost? OTel spans are the obvious answer \u2014 but are they sufficient as a distinct evidence source, or do they suffer from the same adversarial manipulation surface?\n      \n    \n\n  \n\n\n\n\n  \n\n    \n\n      \n      Military / Geopolitical\n    \n    \nS3 \u00b7 OSINT\n  \n  \n\n\n    \n\n      \nBLUF\n      \nIran issued a public threat to interfere with submarine cables in the Strait of Hormuz \u2014 the first explicit statement of this kind and a structural escalation of its coercive posture. Separately, the US suspended the joint defense advisory board with Canada, marking a measurable deterioration in a foundational alliance.\n    \n\n    \nIran Threatens Submarine Cable Interference in Strait of Hormuz\n    \n\n      \nIranian officials issued a public statement hinting at the ability and willingness to disrupt submarine communications cables passing through the Strait of Hormuz in response to US pressure. [The Register \u00b7 2026-05-19]\n      \nThe Strait of Hormuz carries a significant fraction of global submarine cable traffic between Europe, Asia, and the Gulf states. Disruption would affect internet connectivity across the Middle East and portions of South Asia.\n      \nThis is a qualitative escalation: Iran has threatened oil shipping before; threatening communications infrastructure targets a different category of critical systems and signals broader coercive reach.\n      \nNo disruption has occurred. The statement is assessed as a coercive signal rather than an imminent operational threat \u2014 but the explicit nature of the statement represents a new threshold.\n    \n    \n\n      \nContext\n      \nSubmarine cable disruption has been used previously by Russia (Baltic Sea, 2024) and suspected Houthi activity in the Red Sea (2024). Iran publicly claiming this capability in the Hormuz context signals awareness of the tactic's leverage. US-Iran nuclear negotiations remain ongoing and unresolved.\n    \n    \n\n      \nOpen Questions\n      \n\n        \nIs this a negotiating signal tied to nuclear talks, or a longer-term shift in Iran's coercive toolkit?\n        \nWhat redundant cable routing exists for Gulf-to-Asia traffic that would mitigate a Hormuz disruption?\n      \n    \n\n    \nUS Suspends Joint Defense Advisory Board with Canada\n    \n\n      \nThe Pentagon's policy chief announced Monday that the United States suspended the joint defense advisory board with Canada. [Pentagon / NOTUS \u00b7 2026-05-18]\n      \nThe move was described as a response to Canadian political developments following the Carney government's election. It represents a formal institutional suspension, not a routine postponement.\n      \nThe Canada-US defense relationship encompasses NORAD, Arctic monitoring, and joint continental defense architecture. A suspended advisory board does not immediately degrade operational capability, but signals political intent to reduce coordination.\n      \nThis follows other recent US-Canada friction including tariff disputes and the 51st-state rhetoric from the Trump administration.\n    \n    \n\n      \nContext\n      \nThe Trump administration has applied similar pressure to other close allies including Denmark (Greenland), Panama (canal access), and the EU (trade). Canada represents a different tier \u2014 a direct continental neighbor with deeply integrated defense infrastructure. Suspension of formal advisory mechanisms is the first measurable institutional step beyond rhetoric.\n    \n\n  \n\n\n\n\n  \n\n    \n\n      \n      US News\n    \n    \nS4 \u00b7 DOMESTIC\n  \n  \n\n\n    \n\n      \nBLUF\n      \nThe Musk v. OpenAI lawsuit was dismissed by jury in under two hours, clearing the principal legal challenge to OpenAI's non-profit-to-capped-profit governance conversion and removing a significant overhang on OpenAI's restructuring timeline.\n    \n\n    \nUpdate: Musk Loses OpenAI Lawsuit After Less Than Two Hours of Jury Deliberation\n    \n\n      \nA jury dismissed Elon Musk's lawsuit against Sam Altman and OpenAI after less than two hours of deliberation. The trial had centered on whether Musk's early contributions constituted a binding agreement that OpenAI remain a non-profit. [TomHardware \u00b7 2026-05-18]\n      \nThe speed of the verdict \u2014 under two hours \u2014 signals the jury found the core claims insufficiently supported, not merely a close call.\n      \nOpenAI's governance conversion from non-profit to capped-profit structure now faces no active major legal challenge in US courts. The California AG review of the conversion terms remains a separate administrative process.\n      \nMusk's xAI continues as a competing AI lab; the lawsuit's dismissal does not change competitive dynamics but removes a source of legal and reputational drag on OpenAI's fundraising and governance roadmap.\n    \n    \n\n      \nContext\n      \nThe briefing noted on May 13 that the trial was entering final days with Altman's \"trust\" as the central question. The verdict follows that trajectory \u2014 the jury accepted OpenAI's argument that no legally binding agreement was violated. OpenAI has been seeking to complete its capped-profit restructuring to enable institutional investment at scale. This ruling removes the most significant legal obstacle to that process.\n    \n    \n\n      \nOpen Questions\n      \n\n        \nDoes Musk appeal, or does this effectively close the legal chapter and redirect his attention to regulatory or regulatory-adjacent pressure on OpenAI?\n        \nHow quickly does OpenAI move to finalize the governance restructuring now that the lawsuit is resolved?\n      \n    \n\n  \n\n\n\n\n  \n\n    \n\n      \n      Economic\n    \n    \nS5 \u00b7 FRED + NPM\n  \n  \n\n\n    \n\n      \nBLUF\n      \nMacro indicators show a softening-but-stable picture: yield curve normalizing (T10Y2Y at +0.54), VIX at 18.4 (contained), HY credit spread historically tight at 2.80. Supabase-js growth rate slightly below weekly pace (0.88x) while Prisma, Drizzle, and Convex are all accelerating. Drizzle continues to close the gap.\n    \n\n    \nFRED INDICATORS \u2014 WEEK OF MAY 19, 2026\n\n    \n\n      \n\n        \n          \n            Series\n            Definition\n            Latest\n            Date\n            Signal\n          \n        \n        \n          \n            T10Y2Y\n            10Y minus 2Y Treasury spread. Positive = normal curve; negative = inverted (recession signal).\n            +0.54\n            2026-05-18\n            Curve normalizing from inversion. No recession signal.\n          \n          \n            VIXCLS\n            CBOE VIX. Market's 30-day implied volatility expectation. Below 20 = calm; above 30 = stress.\n            18.43\n            2026-05-15\n            Within normal range. Moderate uncertainty, no regime stress.\n          \n          \n            SOFR\n            Secured Overnight Financing Rate. Effective short-term borrowing benchmark replacing LIBOR.\n            3.55%\n            2026-05-15\n            Stable. Fed holding at current rate.\n          \n          \n            BAMLH0A0HYM2\n            HY OAS Spread. High-yield bond spread over Treasuries. Measures credit risk appetite. Normal <400bps; stress >600bps.\n            2.80%\n            2026-05-15\n            Historically tight. Markets pricing low default risk. Credit conditions favorable.\n          \n          \n            ICSA\n            Initial Jobless Claims. Weekly new unemployment filings. Baseline 200\u2013250K.\n            211K\n            2026-05-09\n            Slight uptick from 199K prior week. Within normal range; no trend signal yet.\n          \n          \n            WM2NS\n            M2 Money Supply (NSA). Broad money including checking, savings, money market. Indicator of liquidity conditions.\n            $23,115B\n            2026-04-06\n            Growing from $22,884B. Liquidity expanding.\n          \n        \n      \n    \n\n    \nNPM ECOSYSTEM \u2014 WEEKLY DOWNLOADS\n\n    \n\n      \n\n        \n          \n            Package\n            Weekly\n            Monthly\n            Growth Rate\n            Signal\n          \n        \n        \n          \n            @supabase/supabase-js\n            16,054,383\n            78,908,474\n            0.88x\n            Below weekly pace. Watch for trend.\n          \n          \n            prisma\n            12,672,305\n            46,561,166\n            1.18x\n            Accelerating. Gap with supabase-js narrowing.\n          \n          \n            drizzle-orm\n            9,524,885\n            35,332,974\n            1.17x\n            Strong acceleration. Fastest-growing ORM.\n          \n          \n            firebase\n            7,589,108\n            29,543,351\n            1.11x\n            Steady growth. Firebase still relevant.\n          \n          \n            aws-sdk\n            9,992,852\n            38,612,957\n            1.12x\n            Stable enterprise baseline.\n          \n          \n            convex\n            726,678\n            2,620,539\n            1.20x\n            Highest growth rate. Small base but accelerating sharply.\n          \n          \n            @neondatabase/serverless\n            1,965,051\n            7,536,835\n            1.13x\n            Neon growing faster than supabase-js weekly rate.\n          \n          \n            @planetscale/database\n            195,496\n            822,018\n            1.03x\n            Flat. PlanetScale stalled since pricing changes.\n          \n        \n      \n    \n\n    \n\n      \nInterpretation\n      \nSupabase-js at 16M weekly is still the largest developer database client, but its 0.88x growth rate means it is running slightly below its own monthly average pace \u2014 a possible seasonal artifact or early signal of competitor acceleration. Prisma (1.18x) and Drizzle (1.17x) are both above their own monthly pace, meaning momentum is building. Convex at 1.20x is the outlier; small absolute numbers but the highest growth rate in the table. PyPI data unavailable this cycle (rate-limited).\n    \n\n  \n\n\n\n\n  \n\n    \n\n      \n      Technology\n    \n    \nS6 \u00b7 INDUSTRY\n  \n  \n\n\n    \n\n      \nBLUF\n      \nAnthropic acquired a dev tools startup previously used by OpenAI, Google, and Cloudflare \u2014 a direct move into developer infrastructure that shifts competitive dynamics in the AI tooling layer. OpenAI simultaneously announced an enterprise Codex deployment partnership with Dell, extending its footprint into on-premise environments where Supabase has limited reach.\n    \n\n    \nLEAD: Anthropic Acquires Developer Tools Startup Used by OpenAI, Google, and Cloudflare\n    \n\n      \nAnthropic confirmed the acquisition of a developer tools startup whose products were previously used by OpenAI, Google, and Cloudflare. Specific terms and the startup's name were not disclosed in initial reporting. [TechCrunch \u00b7 2026-05-18]\n      \nThe acquisition places Anthropic directly in the developer infrastructure layer \u2014 a market segment previously served by independent tools that competed on neutrality across AI providers.\n      \nSupabase relevance: Supabase operates in the developer infrastructure space (database + auth + edge functions). An Anthropic-owned developer tools company with enterprise relationships at Google and Cloudflare scale represents a new category of competitor \u2014 one with AI-native defaults and a distribution moat via Claude API customers.\n      \nFor Merlin specifically: if the acquired tooling includes orchestration or deployment primitives, it could compete directly with the OpenHands + Claude Code workflow Merlin is built on.\n    \n    \n\n      \nContext\n      \nAnthropic has been primarily a model provider. This acquisition signals a move toward vertical integration into the developer workflow layer \u2014 the same strategic direction OpenAI has pursued with Codex CLI, Cursor partnerships, and now the Dell enterprise deal. The specific startup and its product surface will determine the competitive impact. Watch for Anthropic announcements in the days following the acquisition close.\n    \n    \n\n      \nOpen Questions\n      \n\n        \nWhich startup was acquired, and what is its core product surface \u2014 IDE integration, CI/CD, observability, or something else?\n        \nDoes Anthropic integrate the tooling into Claude.ai or Claude API, or does it operate as a standalone product?\n      \n    \n\n    \nOpenAI and Dell Partner to Bring Codex to Hybrid and On-Premise Enterprise\n    \n\n      \nOpenAI and Dell announced a partnership to deploy Codex in hybrid and on-premise enterprise environments, extending AI coding assistance to organizations with data residency and air-gap requirements. [OpenAI \u00b7 2026-05-18]\n      \nThis is the first Codex deployment targeting infrastructure-constrained enterprises \u2014 a segment that has resisted SaaS AI tools due to compliance requirements.\n      \nOn-premise Codex running on Dell infrastructure means OpenAI gains enterprise relationships without requiring data to leave customer environments. Competitive implication for GitHub Copilot Enterprise, which has had this market largely to itself.\n      \nSupabase angle: enterprises adopting on-premise Codex will have AI-assisted development workflows that naturally point toward cloud-hosted databases. Supabase's enterprise tier and self-hosted option are relevant here, but the default path is likely toward OpenAI-adjacent infrastructure.\n    \n\n    \nTech Layoff Wave 2026: 138,837 Roles Eliminated at 324 Companies\n    \n\n      \nAs of May 2026, 324 tech companies have conducted layoffs affecting 138,837 employees. Cisco confirmed 4,000 positions cut. Meta layoffs reported beginning this week. [Layoffs.fyi / TechCrunch \u00b7 2026-05-18\u201319]\n      \nThe pace is elevated relative to the 2025 baseline but below the 2023 peak. Pattern: companies reducing non-AI headcount while increasing AI infrastructure spend \u2014 consistent with the \"fewer engineers, more compute\" operating model shift.\n      \nHiring environment implication for Supabase: senior infrastructure and database engineering talent is available at lower competition pressure than 2021\u20132022. Developer tool adoption typically accelerates during periods of engineering team consolidation as productivity-per-engineer metrics become more important.\n    \n\n  \n\n\n\n\n  \n\n    \n\n      \n      Cybersecurity\n    \n    \nS7 \u00b7 THREAT INTEL\n  \n  \n\n\n    \n\n      \nBLUF\n      \n314 npm packages were compromised in an active supply chain attack \u2014 the largest npm-specific campaign since the LiteLLM incident. CISA KEV recorded no new additions in the past 24 hours. NGINX CVE-2026-42945 is confirmed exploited in the wild with a 9.3 CVSS score SQL injection companion vulnerability.\n    \n\n    \nLEAD: 314 npm Packages Compromised \u2014 Mini Shai-Hulud Supply Chain Attack\n    \n\n      \nAn active supply chain attack \u2014 referred to as \"Mini Shai-Hulud Strikes Again\" on HackerNews \u2014 has compromised 314 npm packages. The specific packages and attack vector were not publicly disclosed at time of collection. [HackerNews \u00b7 2026-05-19]\n      \n314 packages represents a large-scale coordinated compromise, not an isolated incident. The \"Strikes Again\" framing indicates this is a recurrence of a previously observed campaign or actor.\n      \nDeveloper ecosystem risk: any project with transitive dependencies on compromised packages is potentially affected. Supply chain attacks at this scale typically target packages with millions of downstream consumers.\n      \nImmediate action: run npm audit on all active projects. Check npm advisory database for the specific package list when disclosed. Pin dependencies to exact versions with integrity hashes.\n      \nMerlin-specific: the OpenHands Docker image and Merlin's product scaffold generators use npm. Audit before next factory run.\n    \n    \n\n      \nContext\n      \nThe prior \"Shai-Hulud\" campaign (referenced by the \"Again\" framing) targeted developer tooling packages. The LiteLLM supply chain attack covered in the May 16 briefing involved a different vector (PyPI/Python). This is a parallel npm-specific campaign. npm supply chain attacks have historically been used for credential harvesting, crypto mining injection, and in advanced cases, persistent backdoors in generated code artifacts.\n    \n\n    \nNGINX CVE-2026-42945 Exploited in the Wild \u2014 Worker Crashes and Possible RCE\n    \n\n      \nCVE-2026-42945 affecting NGINX is confirmed exploited in the wild, causing worker process crashes and potentially enabling code execution. A companion SQL injection vulnerability CVE-2026-28516 (CVSS 9.3) was disclosed alongside it. [DailyCVE / Brave Search \u00b7 2026-05-18]\n      \nNGINX is widely deployed as a reverse proxy and load balancer in cloud-native and self-hosted infrastructure including Supabase self-hosted deployments.\n      \nCISA KEV did not add either CVE in the past 24 hours \u2014 CISA KEV total remains at 1,592 entries as of May 19. Check for KEV addition in subsequent days.\n      \nRecommended action: review NGINX version in any self-hosted or edge infrastructure and apply patches when available. The companion SQL injection CVE warrants immediate attention given CVSS 9.3.\n    \n\n    \n\n      \nCISA KEV \u2014 New Additions (Last 24h)\n      \nNo new entries added to the Known Exploited Vulnerabilities catalog in the past 24 hours. Total catalog: 1,592 entries as of 2026-05-19.\n    \n\n  \n\n\n\n\n  \n\n    \n\n      \n      Analysis\n    \n    \nS13 \u00b7 SYNTHESIS\n  \n  \n\n\n    \n\n      \nStructural Reads\n      \n\n        \nThe Anthropic acquisition of a cross-lab developer tools startup is probably the most structurally significant event of the week. It signals that Anthropic has concluded the model API layer alone is insufficient \u2014 that distribution requires owning developer workflow touchpoints. This is the same strategic logic that drove OpenAI toward Codex CLI, the Dell enterprise partnership, and operator embedding. The pattern across labs now: model commoditization is accelerating faster than anyone projected, so the value migration is moving up-stack into tooling, workflow integration, and developer identity. For Supabase, the acquisition raises a question that did not exist six months ago: if the developer tools layer consolidates under AI companies, does Supabase's infrastructure-neutral position become a competitive advantage (works with everything) or a liability (no model distribution flywheel)?\n\n        \nThe 314-npm supply chain attack and the NGINX CVE-2026-42945 exploitation arrive in the same 24-hour window as the Anthropic acquisition \u2014 not causally related, but thematically coherent. Developer infrastructure is now a primary attack surface. The prior briefing covered the LiteLLM Python supply chain compromise; this briefing covers an npm campaign. The cadence suggests a sustained adversarial focus on the developer tooling layer specifically, not random opportunism. Organizations that have not pinned dependencies and implemented integrity verification are running elevated risk during an active campaign period.\n\n        \nIran's submarine cable threat in the Strait of Hormuz is worth tracking separately from its nuclear-talks context. The explicit public statement \u2014 regardless of intent \u2014 establishes a new escalation reference point. If Iran perceives that threatening communications infrastructure carries low cost and high coercive value, the tactic will recur. The Red Sea cable disruptions of 2024 demonstrated that submarine cable attacks are feasible and that restoration timelines are measured in weeks, not days. A Hormuz disruption would have different geographic scope but similar operational logic.\n\n        \nThe yield curve normalization (T10Y2Y at +0.54) combined with historically tight HY credit spreads (2.80%) and contained VIX (18.4) describes a macro environment that is neither stressed nor euphoric. Developer tool adoption typically tracks with enterprise software budgets, which track with credit availability. The current macro reads as \"favorable but not accelerating\" \u2014 a backdrop where execution quality matters more than market tailwinds.\n      \n    \n\n    \n\n      \nMerlin Synthesis\n      \n\n        Today's ArXiv cluster is unusually coherent: three papers address the same architectural gap from different angles \u2014 that the current orchestrator pattern (prose delegation + single judge) has measurable failure modes that structured alternatives can reduce. The code-as-harness paper (2605.18747) addresses the dispatch layer; the three-layer safety paper (2605.18672) addresses the verification layer; SkillGenBench (2605.18693) addresses the skill quality layer. These are not independent research threads \u2014 they triangulate on the same system-level problem. The probability that all three are wrong in their core claims is low. The implication: the Phase 1 factory closure plan should include at minimum the OTel-based Auditor (independent verification layer) and a pre-commit skill validation gate before the next major Evolver run. The code-as-harness pattern is likely a [HIGH] sprint item once the OpenHands upgrade plan is resolved. The 314-npm attack also warrants an immediate dependency audit before the next factory run \u2014 this is operational, not optional.\n      \n    \n\n  \n\n\n    \n\n\n\n\n    \n\n        \n\n            \nGenerated\n            \n2026-05-19T08:15:00-07:00\n        \n        \n\n            \nArXiv Window\n            \n9 / 13 \u00b7 Historical: 2026-03-10 to 2026-03-17\n        \n        \n\n            \nSections\n            \n8 included \u00b7 5 omitted\n        \n        \n\n            \nLeads\n            \n2 \u00b7 Includes: 9 \u00b7 Merlin findings: 4\n        \n        \n\n            \nDropped\n            \nStale: 3 \u00b7 Dedup: 2\n        \n        \n\n            \nData Sources\n            \nRSS: 18/18 \u00b7 FRED: 14/14 \u00b7 Brave: 13/44 (rate-limited) \u00b7 npm: 8/8 \u00b7 CISA KEV: OK \u00b7 Weather: OK\n        \n        \n\n            \nAudio\n            \nPending TTS generation\n        \n    \n\n\n\n", "creation_timestamp": "2026-05-19T08:28:51.000000Z"}, {"uuid": "8a9e0e2c-6e1c-462b-8f0c-6770f52fd9b4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84751", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-42945\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a imSre9\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a None\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-19 01:54:52\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u65e0\u63cf\u8ff0\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-19T02:00:04.000000Z"}, {"uuid": "39734076-263a-4220-a889-595ca183310e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/modat-io.bsky.social/post/3mm7523waw22z", "content": "\u26a0\ufe0f CVE-2026-42945 (CVSS 9.2): NGINX heap overflow in ngx_http_rewrite_module (\u22641.30.0) is actively being exploited in the wild. Crafted HTTP requests via rewrite/if/set PCRE \u201c?\u201d can crash workers and may lead to RCE (ASLR off). Patch now to Nginx 1.31.0 or 1.30.1. Query: technology=\"Nginx\"", "creation_timestamp": "2026-05-19T10:00:44.624790Z"}, {"uuid": "dad46afa-c19c-4f17-b5bf-54e4aca79a88", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/undercode.bsky.social/post/3mm763xdw3m2o", "content": "CVE-2026-42945 (CVSS 92): The 18-Year-Old NGINX Rift Heap Overflow \u2013 Full RCE PoC & Mitigation Guide +\u00a0Video\n\nIntroduction: A heap buffer overflow vulnerability codenamed \"NGINX Rift\" (CVE-2026-42945) has been discovered in the widely used `ngx_http_rewrite_module` of NGINX, affecting all versions\u2026", "creation_timestamp": "2026-05-19T10:19:32.730450Z"}, {"uuid": "bbb07a7a-81f5-410f-ad5a-457939f65740", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mm7bfzfq532i", "content": "Critical NGINX Vulnerability CVE-2026-42945 Now Under Active Attack", "creation_timestamp": "2026-05-19T11:18:53.365220Z"}, {"uuid": "f4dbf8b8-7488-4a5e-86dd-b0aa43b923dd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/getpacketai.bsky.social/post/3mm7c2knos22q", "content": "Critical NGINX flaw (CVE-2026-42945) already under active exploitation in the wild. CVSS 9.2 heap buffer overflow could crash workers or enable RCE\u2014patch your 0.6.27\u20131.30.0\u2026\n\nhttps://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html\n\n#cybersecurity #infosec", "creation_timestamp": "2026-05-19T11:30:20.462379Z"}, {"uuid": "69334776-7302-4ab5-9b7a-f7a63120687d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hacker.at.thenote.app/post/3mm7g5kjakk2g", "content": "Attackers are exploiting critical NGINX vulnerability (CVE-2026-42945)\n\nA critical NGINX vulnerability (CVE-2026-42945) disclosed last week is being exploited by attackers, VulnCheck security researcher Patrick Garrity revealed on Saturday. The vulnerability, dubbed NGINX Rift, ca\u2026\n#hackernews #news", "creation_timestamp": "2026-05-19T12:43:37.772153Z"}, {"uuid": "8080b79d-9bad-42ba-8de1-b54e5ef0d931", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mm7ih6vuosm2", "content": "NGINX CVE-2026-42945 Under Active Exploitation After F5 Patch Drop VulnCheck confirmed in-the-wild exploitation of NGINX CVE-2026-42945, a critical heap overflow, within days of F5's patch; 5.7...\n\n#Resources #Application #Security #CVE #Vulnerability [\u2026] \n\n[Original post on dailysecurityreview.com]", "creation_timestamp": "2026-05-19T13:24:48.506286Z"}, {"uuid": "e4cc7eff-3216-41b3-9027-18e6fa5ea3e6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/thedailytechfeed.com/post/3mm7oofheum2b", "content": "Urgent: Critical NGINX vulnerability (CVE-2026-42945) under active exploitation. Update to NGINX 1.31.1/1.30.1 immediately. #CyberSecurity #NGINX #CVE202642945 Link: thedailytechfeed.com/critical-ngi...", "creation_timestamp": "2026-05-19T15:16:11.807392Z"}, {"uuid": "b9c10627-1817-4452-900f-b5d849a9c27f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "exploited", "source": "https://t.me/xakep_ru/19396", "content": "\u0417\u0430\u0444\u0438\u043a\u0441\u0438\u0440\u043e\u0432\u0430\u043d\u044b \u043f\u0435\u0440\u0432\u044b\u0435 \u0441\u043b\u0443\u0447\u0430\u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0441\u0432\u0435\u0436\u0435\u0433\u043e \u0431\u0430\u0433\u0430 \u0432 NGINX\n\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0430\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-42945 \u0432 NGINX, \u043f\u043e\u043b\u0443\u0447\u0438\u0432\u0448\u0430\u044f \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 NGINX Rift, \u0443\u0436\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0432 \u0440\u0435\u0430\u043b\u044c\u043d\u044b\u0445 \u0430\u0442\u0430\u043a\u0430\u0445. \u041f\u043e \u0434\u0430\u043d\u043d\u044b\u043c \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u0438\u0441\u0442\u043e\u0432 \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0438 VulnCheck, \u043f\u043e\u043f\u044b\u0442\u043a\u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u043d\u0430\u0447\u0430\u043b\u0438\u0441\u044c \u0431\u0443\u043a\u0432\u0430\u043b\u044c\u043d\u043e \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0434\u043d\u0435\u0439 \u043f\u043e\u0441\u043b\u0435 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438 CVE \u0438 \u0432\u044b\u0445\u043e\u0434\u0430 \u043f\u0430\u0442\u0447\u0435\u0439.\n\nhttps://xakep.ru/2026/05/19/cve-2026-42945-attacks/", "creation_timestamp": "2026-05-19T15:36:39.000000Z"}, {"uuid": "0c4f21e3-7cfe-4c2d-b364-e052e594fa49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://ccb.belgium.be/advisories/warning-multiple-vulnerabilities-nginx-leading-remote-code-execution-and-allowing-rate", "content": "", "creation_timestamp": "2026-05-19T08:05:32.000000Z"}, {"uuid": "5f51f64c-7cc8-4b4f-900c-75474e33df87", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/decio/statuses/116600348345397141", "content": "[Related]L'exploitation sur internet de CVE-2026-42945  aka NGINX RIFT https://depthfirst.com/nginx-rift  aurait commenc\u00e9 selon VulnCheck \u2b07\ufe0f \"Exploitation of Critical NGINX Vulnerability Begins\"\"The flaw leads to denial-of-service on default configurations and to remote code execution if ASLR is disabled.\"\"Shortly after F5 released patches for the bug, Depthfirst published technical details and proof-of-concept (PoC) code targeting it. Now, VulnCheck says threat actors are already exploiting the issue in attacks.\n\u201cWe\u2019re seeing active exploitation of CVE-2026-42945 in F5 NGINX, a heap buffer overflow affecting both NGINX Plus and NGINX Open Source on VulnCheck Canaries just days after the CVE was published,\u201d VulnCheck researcher Patrick Garrity warned. ( https://www.linkedin.com/posts/patrickmgarrity_cybersecurity-threatintelligence-riskmanagement-share-7461369931851517952-PBjV/ ) \"\ud83d\udc47 https://www.securityweek.com/exploitation-of-critical-nginx-vulnerability-begins\n#CyberVeille  #NGINXRift", "creation_timestamp": "2026-05-19T08:42:00.537759Z"}, {"uuid": "7da51d69-d073-4df3-83c9-6f28e338496e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/timb_machine/statuses/116600044786237419", "content": "CVE-2026-42945 looks nasty:\nhttps://github.com/DepthFirstDisclosures/Nginx-Rift\n#threatintel, #nginx", "creation_timestamp": "2026-05-19T08:43:44.763093Z"}, {"uuid": "9696ccb3-738d-48c4-a62a-ae24a33ec37b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/deafnews-auto.bsky.social/post/3mm73wur5ds2s", "content": "NGINX Rift Under Active Exploitation: A Technical Analysis of CVE-2026-42945", "creation_timestamp": "2026-05-19T09:41:17.135578Z"}, {"uuid": "2a666101-38b8-41ec-8276-e2b3b3d5016c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/technoholic.bsky.social/post/3mmaxolen4r2n", "content": "A critical flaw in NGINX (CVE-2026-42945, CVSS 9.2) is actively exploited. It affects versions 0.6.27 to 1.30.0 via heap buffer overflow in ngx_http_rewrite_module. Update now!", "creation_timestamp": "2026-05-20T03:30:01.007380Z"}, {"uuid": "057a7243-1922-4bb4-88bd-2ddf0bca2af7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/diesec.bsky.social/post/3mma2etv6vz2r", "content": "CVE-2026-42945 (CVSS 9.2): 18-year-old heap overflow in NGINX rewrite module \u2014 now actively exploited. Affects every NGINX version from 0.6.27 to 1.30.0. Attackers use AI scanning to find vulnerable instances at scale. Update immediately.\n\n#CyberSecurity #NGINX", "creation_timestamp": "2026-05-19T18:45:37.140020Z"}, {"uuid": "5c99d3cc-d06d-44be-89a2-149462bb4904", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/Kubernetes.activitypub.awakari.com.ap.brid.gy/post/3mma677tdpep2", "content": "\ud83d\udea9 Critical \u201cNGINX Rift\u201d vulnerability enables unauthenticated DoS and potential RCE through rewrite module misconfiguration Critical \u201cNGINX Rift\u201d flaw (CVE-2026-42945) enables unauthenti...\n\n#TIGR #vulnerability\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-19T19:54:05.436257Z"}, {"uuid": "606622be-c701-4814-a515-9de290badc89", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/obivan/statuses/116603263933186294", "content": "PoC for Nginx RCE (CVE-2026-42945) with ASLR enabled https://github.com/Hamid-K/nginx-rift-private-lab", "creation_timestamp": "2026-05-19T21:03:28.669063Z"}, {"uuid": "9216a981-4400-4826-8f5b-69a57e81685e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/obivan.infosec.exchange.ap.brid.gy/post/3mmac3j4edip2", "content": "PoC for Nginx RCE (CVE-2026-42945) with ASLR enabled https://github.com/Hamid-K/nginx-rift-private-lab", "creation_timestamp": "2026-05-19T21:04:14.826756Z"}, {"uuid": "cb17db56-60c8-48bb-90f9-002fba6daa1a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/happy-homhom.bsky.social/post/3mmapsahzq72q", "content": "NGINX\u306e\u6df1\u523b\u306a\u8106\u5f31\u6027\u300cCVE-2026-42945\u300d\u3092\u7a81\u304fPoC\u516c\u958b\u3001\u4f55\u304c\u8d77\u304d\u308b\u306e\u304b\u3092\u3084\u3055\u3057\u304f\u89e3\u8aac\nhttps://papoo.work/doc/a02e47991ba665ef", "creation_timestamp": "2026-05-20T01:08:54.055819Z"}, {"uuid": "28863afd-b064-4e40-9d65-f7fe60e81344", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mmaueesnqq2x", "content": "Top 3 CVE for last 7 days:\nCVE-2026-42897: 56 interactions\nCVE-2026-46300: 56 interactions\nCVE-2026-42945: 50 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-31635: 9 interactions\nCVE-2026-42945: 8 interactions\nCVE-2026-41054: 4 interactions\n", "creation_timestamp": "2026-05-20T02:30:37.561798Z"}, {"uuid": "78e323ac-3d9a-48c5-8524-a48604d8131a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/kitafox.bsky.social/post/3mmazdyobk42f", "content": "NGINX\u306e\u8106\u5f31\u6027\uff1a18\u5e74\u524d\u304b\u3089\u5b58\u5728\u3059\u308b\u91cd\u5927\u306a\u6b20\u9665CVE-2026-42945\u304c\u60aa\u7528\u3055\u308c\u3001\u30b5\u30fc\u30d0\u30fc\u304c\u30af\u30e9\u30c3\u30b7\u30e5\u3059\u308b\u4e8b\u614b\u304c\u767a\u751f \n\nNGINX Rift: Critical 18-Year-Old Flaw CVE-2026-42945 Actively Exploited to Crash Servers  #DailyCyberSecurity (May 19)\n\nsecurityonline.info/nginx-rift-v...", "creation_timestamp": "2026-05-20T03:59:53.867174Z"}, {"uuid": "313ed570-07b6-4196-8041-b909046bda63", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mmbm5ejovwz2", "content": "Critical NGINX Vulnerability CVE-2026-42945 Now Under Active Attack Cybersecurity researchers are warning that attackers have already started exploiting a newly disclosed NGINX vulnerability, trac...\n\n#Firewall #Daily #Cyber #News #Vulnerabilities [\u2026] \n\n[Original post on thecyberexpress.com]", "creation_timestamp": "2026-05-20T09:36:20.910212Z"}, {"uuid": "dce8ab07-2b5b-4178-a6ba-19f0b1996564", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3mmbahkja7s2w", "content": "\ud83d\udccc NGINX Vulnerability CVE-2026-42945 Actively Exploited in the Wild https://www.cyberhub.blog/article/26192-nginx-vulnerability-cve-2026-42945-actively-exploited-in-the-wild", "creation_timestamp": "2026-05-20T06:07:10.514636Z"}, {"uuid": "f47f0bec-b4c7-4e2e-95ae-8175d708fce8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84927", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #Exploit #RCE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-42945-NGINX-Rift-Toolkit\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a gagaltotal\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-20 07:39:53\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2026-42945 - NGINX Rift Toolkit\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-20T07:42:18.000000Z"}, {"uuid": "23b2a61f-c00c-4808-b4ab-adea0a465cac", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://www.govcert.gov.hk/en/alerts_detail.php?id=1881", "content": "", "creation_timestamp": "2026-05-19T21:00:00.000000Z"}, {"uuid": "95338f72-c27e-4905-be69-4a200c24198b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://www.govcert.gov.hk/en/alerts_detail.php?id=1871", "content": "", "creation_timestamp": "2026-05-13T21:00:00.000000Z"}, {"uuid": "4bf493a5-08e1-442f-bab1-1a06d29a4f62", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hackmag.com/post/3mmbu6mtlck2i", "content": "\ud83d\udfe2 18-year-old vulnerability in NGINX leads to remote code execution\n\n\ud83d\udde8\ufe0f Researchers from DepthFirst AI have discovered a critical vulnerability in NGINX, CVE-2026-42945, which scored 9.2 on th\u2026\n\n#news", "creation_timestamp": "2026-05-20T12:00:05.058922Z"}, {"uuid": "ab7079ae-06ae-49a7-a5a0-d27cc26ae6b6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/pentest-tools.com/post/3mmbxzcxs5k2z", "content": "\ud83d\udea8 Worried about your #NGINX web servers? \ud83d\udc49We built a *free* scanner for CVE-2026-42945 (NGINX Rift)!\ud83d\udc47\n\nCheck your targets now (no account required): pentest-tools.com/network-vuln... \n\nOnce the scan completes (if your target is vulnerable), you'll get a finding that includes: \n\n\ud83d\udc47\ud83d\udc47\ud83d\udc47\ud83d\udc47\ud83d\udc47", "creation_timestamp": "2026-05-20T13:08:45.829018Z"}, {"uuid": "e150e1f9-28b5-45d2-821b-eafbd1a4ef92", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/pentest-tools.com/post/3mmbxzgchac2z", "content": "\ud83d\udea8 Worried about your #NGINX web servers? \ud83d\udc49We built a *free* scanner for CVE-2026-42945 (NGINX Rift)!\ud83d\udc47\n\nCheck your targets now (no account required): pentest-tools.com/network-vuln... \n\nOnce the scan completes (if your target is vulnerable), you'll get a finding that includes: \n\n\ud83d\udc47\ud83d\udc47\ud83d\udc47\ud83d\udc47\ud83d\udc47", "creation_timestamp": "2026-05-20T13:08:46.495706Z"}, {"uuid": "4a8f8035-3b71-4551-acfd-f336370e4d96", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/opsmatters.com/post/3mmdn43gylt2q", "content": "The latest update for #CyCognito includes \"Emerging Threat: (CVE-2026-42945) NGINX Rift Heap Overflow in Rewrite Module\" and \"Emerging Threat: (CVE-2026-20182) Cisco Catalyst SD-WAN Authentication Bypass\".\n \n#cybersecurity #AttackSurfaceManagement #EASM https://opsmtrs.com/44Srq0X", "creation_timestamp": "2026-05-21T04:58:41.809346Z"}, {"uuid": "2864e9f4-db15-4f38-9bf9-7d574f1d71b6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/-GtOjHLopjI3IaP_VfvZorB58d5FmtAfesT4Onu4QlAoHy4", "content": "", "creation_timestamp": "2026-05-19T03:00:11.000000Z"}, {"uuid": "331b4086-5dd1-4484-874a-cf0dccac6ca6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/SCHrRkpCF0pkwO9cZRSDiWfzSKGCwL3xFSMVyArhFg6QVc0", "content": "", "creation_timestamp": "2026-05-19T15:00:15.000000Z"}, {"uuid": "73184c49-9c82-49e7-8b35-743d172a286e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/SM41ZgDjE5GCx8_K5BndOjKQZfdnq7khstyXQtIQ9aWd83s", "content": "", "creation_timestamp": "2026-05-19T21:00:04.000000Z"}, {"uuid": "8667c698-3ebe-4702-a417-694a9f3bfc49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/hzv6ufhcPbJBr7JIKKcVNglOkNG1gMbHubCrH0NP1aUauYA", "content": "", "creation_timestamp": "2026-05-20T11:00:10.000000Z"}, {"uuid": "14f0e28b-fbe9-41ce-88e8-ea29114fa8df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/TE3YqlNh8Lh7HQBLppGqA0QLdQWZtjPwFCYattexDyR1ga0", "content": "", "creation_timestamp": "2026-05-18T15:00:14.000000Z"}, {"uuid": "b49b76dc-595a-4dab-81cf-1ad6512dd783", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/EUsL0GBkk0Vgc4QR4rSrAW23hhvDTc4r4ZLNoVXnBNt04Fk", "content": "", "creation_timestamp": "2026-05-20T19:00:11.000000Z"}, {"uuid": "15b74625-8cd8-4308-9c54-e0537ea76af0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/LRuVHO_NRtLslMv_pxl3JYoJM5ygIHd_ktikilExPtpHxGM", "content": "", "creation_timestamp": "2026-05-20T15:00:07.000000Z"}, {"uuid": "b24d1abb-f859-4e6f-aee7-92eed77b9394", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/AMxmfUF4ewnzD7lMn6F-NG7YppsQsWodDT8ioiY0udlXjVPS", "content": "", "creation_timestamp": "2026-05-21T18:44:33.000000Z"}, {"uuid": "efa57a9f-6553-4964-9a73-98817c57213a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/almalinux.org/post/3mmesomo3lk24", "content": "\ud83d\udea8 nginx has a critical vuln hiding in it for 18 years. \n\nWe patched it across AlmaLinux 8, 9, 10 & Kitten\u2014including EOL streams\u2014before upstream did.\n\nDetails on our blog. \ud83d\udc49 https://almalinux.org/blog/2026-05-13-nginx-rift-cve-2026-42945/?utm_medium=social&utm_source=bluesky", "creation_timestamp": "2026-05-21T16:11:12.630684Z"}, {"uuid": "05bd4444-06f4-4ac8-87d7-7b4094c39ccc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/y4W9fQ0s435t06YqivFDBJuH4KL8EGUFyQpMcFpfFM7n6Sq6", "content": "", "creation_timestamp": "2026-05-21T19:00:57.000000Z"}, {"uuid": "25cd055f-9475-41e7-bd18-7ba117feae16", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://www.hkcert.org/security-bulletin/nginx-multiple-vulnerabilities_20260515", "content": "", "creation_timestamp": "2026-05-14T18:00:00.000000Z"}, {"uuid": "b735c97d-dff8-46c7-ae0a-21f34937a930", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "https://t.me/donnazmi/1075", "content": "Free to use and share ya.\n\nhttps://github.com/forxiucn/nginx-cve-2026-42945-poc\nhttps://github.com/chenqin231/CVE-2026-42945\nhttps://github.com/byezero/nginx-cve-2026-42945-check", "creation_timestamp": "2026-05-19T14:45:43.000000Z"}]}