{"vulnerability": "CVE-2026-9256", "sightings": [{"uuid": "d0d64a8f-e4aa-4651-b4b8-195b31bd3527", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://cyber.gc.ca/en/alerts-advisories/f5-security-advisory-av26-501", "content": "", "creation_timestamp": "2026-05-22T09:02:13.000000Z"}, {"uuid": "09aa6685-442a-442e-95d6-5515097af3eb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116618991514251454", "content": "A new vulnerability with increased severity was disclosed for F5 NGINX Plus and NGINX Open Source (CVE-2026-9256) https://vuldb.com/vuln/365202", "creation_timestamp": "2026-05-22T15:43:17.057509Z"}, {"uuid": "b47b14a4-426b-4154-b002-490f9168dbf9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/boredchilada.bsky.social/post/3mmhd6h3yn32k", "content": "~Cybergcca~\n6 advisories released, highlighting a highly critical Drupal SQL injection (CVE-2026-9082) exploited in the wild and critical F5 NGINX flaws.\n-\nIOCs: CVE-2026-9082, CVE-2026-9256\n-\n#CVE20269082 #Drupal #ThreatIntel #Vulnerability", "creation_timestamp": "2026-05-22T16:11:43.203330Z"}, {"uuid": "df9fe749-1f48-44fe-8af9-56ee6c6d4fc4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmhinmth2b2k", "content": "CVE-2026-9256 - NGINX ngx_http_rewrite_module vulnerability\nCVE ID : CVE-2026-9256\n \n Published : May 22, 2026, 2:11 p.m. | 2\u00a0hours, 48\u00a0minutes ago\n \n Description : NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability ...", "creation_timestamp": "2026-05-22T17:49:40.822633Z"}, {"uuid": "74a6281f-c165-48a2-9e02-0da5a8e25f46", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/r-netsec-bot.bsky.social/post/3mmhptdqmal2g", "content": "CVE-2026-9256 - \"nginx-poolslip\", another new vulnerability in the rewrite module", "creation_timestamp": "2026-05-22T19:58:08.631431Z"}, {"uuid": "6ab8f904-e88b-4603-90b6-a99a3f12ed6a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://mstdn.social/users/jschauma/statuses/116620852119462759", "content": "The previous announced sibling vulnerability to \"nginx rift\" has been fixed by F5 and has been assigned CVE-2026-9256):\nhttps://my.f5.com/manage/s/article/K000161377\nThis was previously called \"nginx-poolslip\" (https://nitter.net/nebusecurity/status/2057071579876753643) and is a DoS with possible RCE (\"if the attacker can bypass ASLR\" - not sure how?), using a similar regex capture vector.\nWouldn't be surprised if this is the new norm: one vuln lands, everybody points their AI at that attack vector and discovers sibling vulns.", "creation_timestamp": "2026-05-22T23:36:24.040138Z"}, {"uuid": "982537a1-038e-4083-89d2-d75c9fe27e15", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://infosec.exchange/users/cR0w/statuses/116620003808518966", "content": "Another vuln in NGINX rewriting. Looks pretty similar to the last one. Requires ASLR bypass or disabled for RCE.\nhttps://my.f5.com/manage/s/article/K000161377\n\nNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, /((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. (CVE-2026-9256)", "creation_timestamp": "2026-05-22T20:00:39.688281Z"}, {"uuid": "a993ad22-4bbb-4a9f-ba10-9e179ff95b75", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/r-netsec.bsky.social/post/3mmhqhrizki2g", "content": "CVE-2026-9256 - \"nginx-poolslip\", another new vulnerability in the rewrite module", "creation_timestamp": "2026-05-22T20:09:34.185879Z"}, {"uuid": "66fe738e-15e6-4d80-839a-a3c1e28ed090", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/jschauma.mstdn.social.ap.brid.gy/post/3mmi3znywbij2", "content": "The previous announced sibling vulnerability to \"nginx rift\" has been fixed by F5 and has been assigned CVE-2026-9256):\n\nhttps://my.f5.com/manage/s/article/K000161377\n\nThis was previously called \"nginx-poolslip\" (https://nitter.net/nebusecurity/status/2057071579876753643) and is a DoS with [\u2026]", "creation_timestamp": "2026-05-22T23:36:29.984102Z"}, {"uuid": "968143dc-f4c9-4e90-b176-6e02298a9939", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mmiang525h2v", "content": "NGINX ngx_http_rewrite_module buffer overflow (CVE-2026-9256)", "creation_timestamp": "2026-05-23T00:59:06.066348Z"}, {"uuid": "df5a809a-8ec5-4129-81aa-8da6e6663e6e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116622178040678966", "content": "It is possible to see elevated activities targeting F5 NGINX Plus and NGINX Open Source (CVE-2026-9256) https://vuldb.com/vuln/365202/cti", "creation_timestamp": "2026-05-23T05:13:35.169271Z"}, {"uuid": "32579c91-3e90-4298-888b-e79cc6184ad6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "Telegram/tLTaf5zN9aUn_D8KOi_rgxptZENw0EocHmy4bQpa2VASaD8", "content": "", "creation_timestamp": "2026-05-24T09:00:04.000000Z"}, {"uuid": "d0f7d43c-c5b3-4a44-a758-3aea567a237c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://t.me/bdufstecru/3194", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u044f ngx_http_rewrite_module \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432 NGINX Plus \u0438 NGINX Open Source \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435\u043c \u0431\u0443\u0444\u0435\u0440\u0430 \u0432 \u0434\u0438\u043d\u0430\u043c\u0438\u0447\u0435\u0441\u043a\u043e\u0439 \u043f\u0430\u043c\u044f\u0442\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u0438\u043b\u0438 \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438 \u043f\u0443\u0442\u0435\u043c \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e HTTP-\u0437\u0430\u043f\u0440\u043e\u0441\u0430\n\nBDU:2026-07182\nCVE-2026-9256\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://my.f5.com/manage/s/article/K000161377", "creation_timestamp": "2026-05-25T14:46:51.000000Z"}, {"uuid": "5f40839a-f4e0-41a1-90c8-4f07d8f288e3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/boredchilada.bsky.social/post/3mmoui27mho26", "content": "~Cybergcca~\nCCCS released 7 advisories for IBM, Roundcube, Dell, Ubuntu, CISA ICS, Red Hat, and cPanel.\n-\nIOCs: CVE-2026-9256\n-\n#Patch #ThreatIntel #Vulnerability", "creation_timestamp": "2026-05-25T16:09:56.663682Z"}, {"uuid": "2b0d65c5-054f-4be9-8ca1-c4487376a29b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://cyber.gc.ca/en/alerts-advisories/cpanel-security-advisory-av26-508", "content": "", "creation_timestamp": "2026-05-25T07:30:43.000000Z"}, {"uuid": "e56a475d-524c-499b-922f-7a908b1ccd73", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mmr375cpjn2h", "content": "\ud83d\udd17 CVE : CVE-2026-9256", "creation_timestamp": "2026-05-26T13:15:33.798628Z"}]}