Vulnerability-Lookup

WID-SEC-W-2026-0860

Vulnerability from csaf_certbund - Published: 2026-03-24 23:00 - Updated: 2026-04-09 22:00

Summary

NGINX und NGINX Plus: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: NGINX Plus ist die kommerzielle Variante von NGINX, einer Webserver-, Reverse Proxy- und E-Mail Proxy Software. NGINX ist eine Webserver-, Reverse Proxy- und E-Mail-Proxy Software.

Angriff: Ein Angreifer kann mehrere Schwachstellen in NGINX Plus und NGINX ausnutzen, um einen Denial of Service Angriff durchzuführen, um Daten zu manipulieren, um Sicherheitsvorkehrungen zu umgehen, und potenziell um beliebigen Programmcode auszuführen.

Betroffene Betriebssysteme: - Linux - UNIX - Windows

CVE-2026-27651

CVE-2026-27654

CVE-2026-27784

CVE-2026-32647

CVE-2026-28755

CVE-2026-28753

References

URL

Category

	https://wid.cert-bund.de/.well-known/csaf/white/2…	self
	https://wid.cert-bund.de/portal/wid/securityadvis…	self
	https://euvd.enisa.europa.eu/enisa/EUVD-2026-14880	external
	https://euvd.enisa.europa.eu/enisa/EUVD-2026-14881	external
	https://euvd.enisa.europa.eu/enisa/EUVD-2026-14883	external
	https://euvd.enisa.europa.eu/enisa/EUVD-2026-14885	external
	https://euvd.enisa.europa.eu/enisa/EUVD-2026-14887	external
	https://euvd.enisa.europa.eu/enisa/EUVD-2026-14897	external
	https://my.f5.com/manage/s/article/K000160383	external
	https://my.f5.com/manage/s/article/K000160382	external
	https://my.f5.com/manage/s/article/K000160364	external
	https://my.f5.com/manage/s/article/K000160367	external
	https://my.f5.com/manage/s/article/K000160368	external
	https://my.f5.com/manage/s/article/K000160366	external
	https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
	https://lists.opensuse.org/archives/list/security…	external
	https://linux.oracle.com/errata/ELSA-2026-6906.html	external
	https://access.redhat.com/errata/RHSA-2026:6907	external
	https://access.redhat.com/errata/RHSA-2026:6906	external
	https://errata.build.resf.org/RLSA-2026:6923	external
	https://access.redhat.com/errata/RHSA-2026:6923	external
	https://access.redhat.com/errata/RHSA-2026:7002	external
	https://linux.oracle.com/errata/ELSA-2026-6923.html	external
	https://errata.build.resf.org/RLSA-2026:6907	external
	https://access.redhat.com/errata/RHSA-2026:7343	external
	https://linux.oracle.com/errata/ELSA-2026-7002.html	external
	https://linux.oracle.com/errata/ELSA-2026-6907.html	external
	https://errata.build.resf.org/RLSA-2026:6906	external
	https://errata.build.resf.org/RLSA-2026:7343	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "NGINX Plus ist die kommerzielle Variante von NGINX, einer Webserver-, Reverse Proxy- und E-Mail Proxy Software.\r\nNGINX ist eine Webserver-, Reverse Proxy- und E-Mail-Proxy Software.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in NGINX Plus und NGINX ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren, um Daten zu manipulieren, um Sicherheitsvorkehrungen zu umgehen, und potenziell um beliebigen Programmcode auszuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0860 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0860.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0860 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0860"
      },
      {
        "category": "external",
        "summary": "EU Vulnerability Database vom 2026-03-24",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-14880"
      },
      {
        "category": "external",
        "summary": "EU Vulnerability Database vom 2026-03-24",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-14881"
      },
      {
        "category": "external",
        "summary": "EU Vulnerability Database vom 2026-03-24",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-14883"
      },
      {
        "category": "external",
        "summary": "EU Vulnerability Database vom 2026-03-24",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-14885"
      },
      {
        "category": "external",
        "summary": "EU Vulnerability Database vom 2026-03-24",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-14887"
      },
      {
        "category": "external",
        "summary": "EU Vulnerability Database vom 2026-03-24",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-14897"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory vom 2026-03-24",
        "url": "https://my.f5.com/manage/s/article/K000160383"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory vom 2026-03-24",
        "url": "https://my.f5.com/manage/s/article/K000160382"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory vom 2026-03-24",
        "url": "https://my.f5.com/manage/s/article/K000160364"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory vom 2026-03-24",
        "url": "https://my.f5.com/manage/s/article/K000160367"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory vom 2026-03-24",
        "url": "https://my.f5.com/manage/s/article/K000160368"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory vom 2026-03-24",
        "url": "https://my.f5.com/manage/s/article/K000160366"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2026-4DE4D247A0 vom 2026-03-25",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-4de4d247a0"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10423-1 vom 2026-03-28",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XQVD3WMISNZQSD5MXTECPJHIO3LBJKQ7/"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-6906 vom 2026-04-08",
        "url": "https://linux.oracle.com/errata/ELSA-2026-6906.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:6907 vom 2026-04-08",
        "url": "https://access.redhat.com/errata/RHSA-2026:6907"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:6906 vom 2026-04-08",
        "url": "https://access.redhat.com/errata/RHSA-2026:6906"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:6923 vom 2026-04-08",
        "url": "https://errata.build.resf.org/RLSA-2026:6923"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:6923 vom 2026-04-08",
        "url": "https://access.redhat.com/errata/RHSA-2026:6923"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:7002 vom 2026-04-08",
        "url": "https://access.redhat.com/errata/RHSA-2026:7002"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-6923 vom 2026-04-08",
        "url": "https://linux.oracle.com/errata/ELSA-2026-6923.html"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:6907 vom 2026-04-09",
        "url": "https://errata.build.resf.org/RLSA-2026:6907"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:7343 vom 2026-04-09",
        "url": "https://access.redhat.com/errata/RHSA-2026:7343"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-7002 vom 2026-04-09",
        "url": "https://linux.oracle.com/errata/ELSA-2026-7002.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-6907 vom 2026-04-09",
        "url": "https://linux.oracle.com/errata/ELSA-2026-6907.html"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:6906 vom 2026-04-09",
        "url": "https://errata.build.resf.org/RLSA-2026:6906"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:7343 vom 2026-04-10",
        "url": "https://errata.build.resf.org/RLSA-2026:7343"
      }
    ],
    "source_lang": "en-US",
    "title": "NGINX und NGINX Plus: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-04-09T22:00:00.000+00:00",
      "generator": {
        "date": "2026-04-10T07:10:07.356+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0860",
      "initial_release_date": "2026-03-24T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-03-24T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-03-25T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Fedora aufgenommen"
        },
        {
          "date": "2026-03-29T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-04-07T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Oracle Linux, Red Hat und Rocky Enterprise Software Foundation aufgenommen"
        },
        {
          "date": "2026-04-08T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Oracle Linux und Rocky Enterprise Software Foundation aufgenommen"
        },
        {
          "date": "2026-04-09T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat, Oracle Linux und Rocky Enterprise Software Foundation aufgenommen"
        }
      ],
      "status": "final",
      "version": "6"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Fedora Linux",
            "product": {
              "name": "Fedora Linux",
              "product_id": "74185",
              "product_identification_helper": {
                "cpe": "cpe:/o:fedoraproject:fedora:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Fedora"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.29.7",
                "product": {
                  "name": "NGINX NGINX \u003c1.29.7",
                  "product_id": "T052140"
                }
              },
              {
                "category": "product_version",
                "name": "1.29.7",
                "product": {
                  "name": "NGINX NGINX 1.29.7",
                  "product_id": "T052140-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx:1.29.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.28.3",
                "product": {
                  "name": "NGINX NGINX \u003c1.28.3",
                  "product_id": "T052141"
                }
              },
              {
                "category": "product_version",
                "name": "1.28.3",
                "product": {
                  "name": "NGINX NGINX 1.28.3",
                  "product_id": "T052141-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx:1.28.3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "NGINX"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cR36 P3",
                "product": {
                  "name": "NGINX NGINX Plus \u003cR36 P3",
                  "product_id": "T052137"
                }
              },
              {
                "category": "product_version",
                "name": "R36 P3",
                "product": {
                  "name": "NGINX NGINX Plus R36 P3",
                  "product_id": "T052137-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx_plus:r36_p3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cR35 P2",
                "product": {
                  "name": "NGINX NGINX Plus \u003cR35 P2",
                  "product_id": "T052138"
                }
              },
              {
                "category": "product_version",
                "name": "R35 P2",
                "product": {
                  "name": "NGINX NGINX Plus R35 P2",
                  "product_id": "T052138-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx_plus:r35_p2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cR32 P5",
                "product": {
                  "name": "NGINX NGINX Plus \u003cR32 P5",
                  "product_id": "T052139"
                }
              },
              {
                "category": "product_version",
                "name": "R32 P5",
                "product": {
                  "name": "NGINX NGINX Plus R32 P5",
                  "product_id": "T052139-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx_plus:r32_p5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "NGINX Plus"
          }
        ],
        "category": "vendor",
        "name": "NGINX"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "RESF Rocky Linux",
            "product": {
              "name": "RESF Rocky Linux",
              "product_id": "T032255",
              "product_identification_helper": {
                "cpe": "cpe:/o:resf:rocky_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "RESF"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-27651",
      "product_status": {
        "known_affected": [
          "T052140",
          "T052141",
          "67646",
          "T027843",
          "T052139",
          "T052137",
          "T052138",
          "T004914",
          "T032255",
          "74185"
        ]
      },
      "release_date": "2026-03-24T23:00:00.000+00:00",
      "title": "CVE-2026-27651"
    },
    {
      "cve": "CVE-2026-27654",
      "product_status": {
        "known_affected": [
          "T052140",
          "T052141",
          "67646",
          "T027843",
          "T052139",
          "T052137",
          "T052138",
          "T004914",
          "T032255",
          "74185"
        ]
      },
      "release_date": "2026-03-24T23:00:00.000+00:00",
      "title": "CVE-2026-27654"
    },
    {
      "cve": "CVE-2026-27784",
      "product_status": {
        "known_affected": [
          "T052140",
          "T052141",
          "67646",
          "T027843",
          "T052139",
          "T052137",
          "T052138",
          "T004914",
          "T032255",
          "74185"
        ]
      },
      "release_date": "2026-03-24T23:00:00.000+00:00",
      "title": "CVE-2026-27784"
    },
    {
      "cve": "CVE-2026-32647",
      "product_status": {
        "known_affected": [
          "T052140",
          "T052141",
          "67646",
          "T027843",
          "T052139",
          "T052137",
          "T052138",
          "T004914",
          "T032255",
          "74185"
        ]
      },
      "release_date": "2026-03-24T23:00:00.000+00:00",
      "title": "CVE-2026-32647"
    },
    {
      "cve": "CVE-2026-28755",
      "product_status": {
        "known_affected": [
          "T052140",
          "T052141",
          "67646",
          "T027843",
          "T052139",
          "T052137",
          "T052138",
          "T004914",
          "T032255",
          "74185"
        ]
      },
      "release_date": "2026-03-24T23:00:00.000+00:00",
      "title": "CVE-2026-28755"
    },
    {
      "cve": "CVE-2026-28753",
      "product_status": {
        "known_affected": [
          "T052140",
          "T052141",
          "67646",
          "T027843",
          "T052139",
          "T052137",
          "T052138",
          "T004914",
          "T032255",
          "74185"
        ]
      },
      "release_date": "2026-03-24T23:00:00.000+00:00",
      "title": "CVE-2026-28753"
    }
  ]
}

CVE-2026-27784 (GCVE-0-2026-27784)

Vulnerability from cvelistv5 – Published: 2026-03-24 14:13 – Updated: 2026-03-25 14:09

Title

NGINX ngx_http_mp4_module vulnerability

Summary

The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.5 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

References

URL

Tags

https://my.f5.com/manage/s/article/K000160364

vendor-advisory

Impacted products

	Vendor	Product	Version
	F5	NGINX Open Source	Affected: 1.29.0 , < 1.29.7 (semver) Affected: 1.1.19 , < 1.28.3 (semver)

Date Public ?

2026-03-24 14:00

Credits

F5 acknowledges Prabhav Srinath (sprabhav7) for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27784",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T03:55:53.601160Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:09:53.726Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_mp4_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "1.29.7",
              "status": "affected",
              "version": "1.29.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.28.3",
              "status": "affected",
              "version": "1.1.19",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "F5 acknowledges Prabhav Srinath (sprabhav7) for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-03-24T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190 Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T14:36:46.530Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000160364"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_mp4_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-27784",
    "datePublished": "2026-03-24T14:13:25.343Z",
    "dateReserved": "2026-03-18T16:06:38.416Z",
    "dateUpdated": "2026-03-25T14:09:53.726Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28755 (GCVE-0-2026-28755)

Vulnerability from cvelistv5 – Published: 2026-03-24 14:13 – Updated: 2026-03-24 15:24

Title

NGINX ngx_stream_ssl_module vulnerability

Summary

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CWE

CWE-863 - Incorrect Authorization

Assigner

References

URL

Tags

https://my.f5.com/manage/s/article/K000160368

vendor-advisory

Impacted products

Vendor

Product

Version

NGINX Open Source

Affected: 1.29.0 , < 1.29.7 (semver)
Affected: 1.27.2 , < 1.28.3 (semver)

NGINX Plus

Affected: R36 , < R36 P3 (custom)
Affected: R35 , < R35 P2 (custom)
Affected: R34 , < * (custom)
Affected: R33 , < * (custom)

Date Public ?

2026-03-24 14:00

Credits

Mufeed VH of Winfunc Research

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28755",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T15:24:10.756255Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T15:24:16.108Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_stream_ssl_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "1.29.7",
              "status": "affected",
              "version": "1.29.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.28.3",
              "status": "affected",
              "version": "1.27.2",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_stream_ssl_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "R36 P3",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R35 P2",
              "status": "affected",
              "version": "R35",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R34",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R33",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Mufeed VH of Winfunc Research"
        }
      ],
      "datePublic": "2026-03-24T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. \u0026nbsp; \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. \u00a0 \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863 Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T14:43:39.944Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000160368"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_stream_ssl_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-28755",
    "datePublished": "2026-03-24T14:13:26.502Z",
    "dateReserved": "2026-03-18T16:06:38.442Z",
    "dateUpdated": "2026-03-24T15:24:16.108Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28753 (GCVE-0-2026-28753)

Vulnerability from cvelistv5 – Published: 2026-03-24 14:13 – Updated: 2026-03-24 15:24

Title

NGINX ngx_mail_proxy_module vulnerability

Summary

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

CWE

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Assigner

References

URL

Tags

https://my.f5.com/manage/s/article/K000160367

vendor-advisory

Impacted products

Vendor

Product

Version

NGINX Open Source

Affected: 1.29.0 , < 1.29.7 (semver)
Affected: 0.6.27 , < 1.28.3 (semver)

NGINX Plus

Affected: R36 , < R36 P3 (custom)
Affected: R35 , < R35 P2 (custom)
Affected: R34 , < * (custom)
Affected: R33 , < * (custom)
Affected: R32 , < R32 P5 (custom)

Date Public ?

2026-03-24 14:00

Credits

Asim Viladi Oglu Manizada Colin Warren Xiao Liu (Yunnan University) Yuan Tan (UC Riverside) Bird Liu (Lanzhou University)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28753",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T15:24:28.689685Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T15:24:34.995Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_mail_proxy_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "1.29.7",
              "status": "affected",
              "version": "1.29.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.28.3",
              "status": "affected",
              "version": "0.6.27",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_mail_proxy_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "R36 P3",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R35 P2",
              "status": "affected",
              "version": "R35",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R34",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R33",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P5",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Asim Viladi Oglu Manizada"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Colin Warren"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Xiao Liu (Yunnan University)"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Yuan Tan (UC Riverside)"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Bird Liu (Lanzhou University)"
        }
      ],
      "datePublic": "2026-03-24T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T14:49:49.169Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000160367"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_mail_proxy_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-28753",
    "datePublished": "2026-03-24T14:13:26.107Z",
    "dateReserved": "2026-03-18T16:06:38.435Z",
    "dateUpdated": "2026-03-24T15:24:34.995Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27654 (GCVE-0-2026-27654)

Vulnerability from cvelistv5 – Published: 2026-03-24 14:13 – Updated: 2026-03-24 15:15

Title

NGINX ngx_http_dav_module vulnerability

Summary

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

8.8 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

CWE

CWE-122 - Heap-based Buffer Overflow

Assigner

References

URL

Tags

https://my.f5.com/manage/s/article/K000160382

vendor-advisory

Impacted products

Vendor

Product

Version

NGINX Open Source

Affected: 1.29.0 , < 1.29.7 (semver)
Affected: 0.5.13 , < 1.28.3 (semver)

NGINX Plus

Affected: R36 , < R36 P3 (custom)
Affected: R35 , < R35 P2 (custom)
Affected: R34 , < * (custom)
Affected: R33 , < * (custom)
Affected: R32 , < R32 P5 (custom)

Date Public ?

2026-03-24 14:00

Credits

F5 acknowledges Calif.io in collaboration with Claude and Anthropic Research for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27654",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T15:14:50.235649Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T15:15:00.495Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_dav_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "1.29.7",
              "status": "affected",
              "version": "1.29.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.28.3",
              "status": "affected",
              "version": "0.5.13",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_dav_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "R36 P3",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R35 P2",
              "status": "affected",
              "version": "R35",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R34",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R33",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P5",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "F5 acknowledges Calif.io in collaboration with Claude and Anthropic Research for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-03-24T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T14:32:07.177Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000160382"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_dav_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-27654",
    "datePublished": "2026-03-24T14:13:26.879Z",
    "dateReserved": "2026-03-18T16:06:38.448Z",
    "dateUpdated": "2026-03-24T15:15:00.495Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32647 (GCVE-0-2026-32647)

Vulnerability from cvelistv5 – Published: 2026-03-24 14:13 – Updated: 2026-03-25 03:55

Title

NGINX ngx_http_mp4_module vulnerability

Summary

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.5 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-125 - Out-of-bounds Read

Assigner

References

URL

Tags

https://my.f5.com/manage/s/article/K000160366

vendor-advisory

Impacted products

Vendor

Product

Version

NGINX Open Source

Affected: 1.29.0 , < 1.29.7 (semver)
Affected: 1.1.19 , < 1.28.3 (semver)

NGINX Plus

Affected: R36 , < R36 P3 (custom)
Affected: R35 , < R35 P2 (custom)
Affected: R34 , < * (custom)
Affected: R33 , < * (custom)
Affected: R32 , < R32 P5 (custom)

Date Public ?

2026-03-24 14:00

Credits

F5 acknowledges Xint Code and Pavel Kohout (Aisle Research) for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32647",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T03:55:49.464Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_mp4_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "1.29.7",
              "status": "affected",
              "version": "1.29.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.28.3",
              "status": "affected",
              "version": "1.1.19",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_http_mp4_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "R36 P3",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R35 P2",
              "status": "affected",
              "version": "R35",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R34",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R33",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P5",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "F5 acknowledges Xint Code and Pavel Kohout (Aisle Research) for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-03-24T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125 Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T14:40:08.455Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000160366"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_mp4_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-32647",
    "datePublished": "2026-03-24T14:13:25.724Z",
    "dateReserved": "2026-03-18T16:06:38.427Z",
    "dateUpdated": "2026-03-25T03:55:49.464Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27651 (GCVE-0-2026-27651)

Vulnerability from cvelistv5 – Published: 2026-03-24 14:13 – Updated: 2026-03-24 15:14

Title

NGINX ngx_mail_auth_http_module vulnerability

Summary

When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-476 - NULL Pointer Dereference

Assigner

References

URL

Tags

https://my.f5.com/manage/s/article/K000160383

vendor-advisory

Impacted products

Vendor

Product

Version

NGINX Open Source

Affected: 1.29.0 , < 1.29.7 (semver)
Affected: 0.5.15 , < 1.28.3 (semver)

NGINX Plus

Affected: R36 , < R36 P3 (custom)
Affected: R35 , < R35 P2 (custom)
Affected: R34 , < * (custom)
Affected: R33 , < * (custom)
Affected: R32 , < R32 P5 (custom)

Date Public ?

2026-03-24 14:00

Credits

F5 acknowledges Arkadi Vainbrand for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27651",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T15:02:03.137056Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T15:14:13.220Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_mail_auth_http_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "1.29.7",
              "status": "affected",
              "version": "1.29.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.28.3",
              "status": "affected",
              "version": "0.5.15",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_mail_auth_http_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "R36 P3",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R35 P2",
              "status": "affected",
              "version": "R35",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R34",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R33",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P5",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "F5 acknowledges Arkadi Vainbrand for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-03-24T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen the \u003c/span\u003e\u003cstrong\u003engx_mail_auth_http_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header.\u003c/span\u003e Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "When the ngx_mail_auth_http_module\u00a0module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T14:22:35.756Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000160383"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_mail_auth_http_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-27651",
    "datePublished": "2026-03-24T14:13:27.295Z",
    "dateReserved": "2026-03-18T16:06:38.454Z",
    "dateUpdated": "2026-03-24T15:14:13.220Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0860

CVE-2026-27784 (GCVE-0-2026-27784)

CVE-2026-28755 (GCVE-0-2026-28755)

CVE-2026-28753 (GCVE-0-2026-28753)

CVE-2026-27654 (GCVE-0-2026-27654)

CVE-2026-32647 (GCVE-0-2026-32647)

CVE-2026-27651 (GCVE-0-2026-27651)

Tags

Sightings

Nomenclature