Vulnerability-Lookup

WID-SEC-W-2026-1527

Vulnerability from csaf_certbund - Published: 2026-05-14 22:00 - Updated: 2026-05-18 22:00

Summary

NGINX Open Source and NGINX Plus: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: NGINX Plus ist die kommerzielle Variante von NGINX, einer Webserver-, Reverse Proxy- und E-Mail Proxy Software. NGINX ist eine Webserver-, Reverse Proxy- und E-Mail-Proxy Software.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in NGINX Open Source and NGINX Plus ausnutzen, um Sicherheitsvorkehrungen zu umgehen, beliebigen Code auszuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.

Betroffene Betriebssysteme: - Linux - UNIX - Windows

CVE-2026-40460

Affected products

Known affected 11 products

Product	Identifier	Version
NGINX NGINX Plus <37.0.0 NGINX / NGINX Plus		<37.0.0
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
NGINX NGINX Plus <R32 P6 NGINX / NGINX Plus		<R32 P6
NGINX NGINX Open Source <1.30.1 NGINX / NGINX		Open Source <1.30.1
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
NGINX NGINX Open Source <1.31.0 NGINX / NGINX		Open Source <1.31.0
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—
NGINX NGINX Plus <R36 P4 NGINX / NGINX Plus		<R36 P4

CVE-2026-40701

Affected products

Known affected 10 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
NGINX NGINX Plus <R32 P6 NGINX / NGINX Plus		<R32 P6
NGINX NGINX Open Source <1.30.1 NGINX / NGINX		Open Source <1.30.1
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
NGINX NGINX Open Source <1.31.0 NGINX / NGINX		Open Source <1.31.0
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—
NGINX NGINX Plus <R36 P4 NGINX / NGINX Plus		<R36 P4

CVE-2026-42926

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
NGINX NGINX Open Source <1.30.1 NGINX / NGINX		Open Source <1.30.1
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
NGINX NGINX Open Source <1.31.0 NGINX / NGINX		Open Source <1.31.0
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—

CVE-2026-42934

Affected products

Known affected 11 products

Product	Identifier	Version
NGINX NGINX Plus <37.0.0 NGINX / NGINX Plus		<37.0.0
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
NGINX NGINX Plus <R32 P6 NGINX / NGINX Plus		<R32 P6
NGINX NGINX Open Source <1.30.1 NGINX / NGINX		Open Source <1.30.1
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
NGINX NGINX Open Source <1.31.0 NGINX / NGINX		Open Source <1.31.0
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—
NGINX NGINX Plus <R36 P4 NGINX / NGINX Plus		<R36 P4

CVE-2026-42945

Affected products

Known affected 11 products

Product	Identifier	Version
NGINX NGINX Plus <37.0.0 NGINX / NGINX Plus		<37.0.0
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
NGINX NGINX Plus <R32 P6 NGINX / NGINX Plus		<R32 P6
NGINX NGINX Open Source <1.30.1 NGINX / NGINX		Open Source <1.30.1
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
NGINX NGINX Open Source <1.31.0 NGINX / NGINX		Open Source <1.31.0
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—
NGINX NGINX Plus <R36 P4 NGINX / NGINX Plus		<R36 P4

CVE-2026-42946

Affected products

Known affected 10 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
NGINX NGINX Plus <R32 P6 NGINX / NGINX Plus		<R32 P6
NGINX NGINX Open Source <1.30.1 NGINX / NGINX		Open Source <1.30.1
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
NGINX NGINX Open Source <1.31.0 NGINX / NGINX		Open Source <1.31.0
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—
NGINX NGINX Plus <R36 P4 NGINX / NGINX Plus		<R36 P4

References

33 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/advisories/GHSA-GCGV-V5GF-C543	external
https://github.com/advisories/GHSA-H7RQ-F9GQ-MC8R	external
https://github.com/advisories/GHSA-X88Q-X2R7-VG3G	external
https://github.com/advisories/GHSA-V43F-895R-CHHH	external
https://github.com/advisories/GHSA-6VMC-2WH4-77QP	external
https://github.com/advisories/GHSA-FM65-XRRR-C358	external
https://github.com/p3Nt3st3r-sTAr/CVE-2026-42945-POC	external
https://my.f5.com/manage/s/article/K000161019	external
https://my.f5.com/manage/s/article/K000161021	external
https://my.f5.com/manage/s/article/K000161068	external
https://my.f5.com/manage/s/article/K000161131	external
https://my.f5.com/manage/s/article/K000161027	external
https://my.f5.com/manage/s/article/K000161028	external
https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
https://ubuntu.com/security/notices/USN-8271-1	external
https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
https://access.redhat.com/errata/RHSA-2026:17751	external
https://access.redhat.com/errata/RHSA-2026:17753	external
https://access.redhat.com/errata/RHSA-2026:17752	external
https://access.redhat.com/errata/RHSA-2026:18029	external
https://access.redhat.com/errata/RHSA-2026:17790	external
https://access.redhat.com/errata/RHSA-2026:17791	external
https://access.redhat.com/errata/RHSA-2026:17792	external
https://access.redhat.com/errata/RHSA-2026:17793	external
https://access.redhat.com/errata/RHSA-2026:17794	external
https://access.redhat.com/errata/RHSA-2026:18063	external
https://access.redhat.com/errata/RHSA-2026:18041	external
https://lists.debian.org/debian-lts-announce/2026…	external
https://lists.opensuse.org/archives/list/security…	external
https://errata.build.resf.org/RLSA-2026:18041	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "NGINX Plus ist die kommerzielle Variante von NGINX, einer Webserver-, Reverse Proxy- und E-Mail Proxy Software.\r\nNGINX ist eine Webserver-, Reverse Proxy- und E-Mail-Proxy Software.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in NGINX Open Source and NGINX Plus ausnutzen, um Sicherheitsvorkehrungen zu umgehen, beliebigen Code auszuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1527 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1527.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1527 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1527"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-GCGV-V5GF-C543 vom 2026-05-13",
        "url": "https://github.com/advisories/GHSA-GCGV-V5GF-C543"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-H7RQ-F9GQ-MC8R vom 2026-05-13",
        "url": "https://github.com/advisories/GHSA-H7RQ-F9GQ-MC8R"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-X88Q-X2R7-VG3G vom 2026-05-13",
        "url": "https://github.com/advisories/GHSA-X88Q-X2R7-VG3G"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-V43F-895R-CHHH vom 2026-05-13",
        "url": "https://github.com/advisories/GHSA-V43F-895R-CHHH"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-6VMC-2WH4-77QP vom 2026-05-13",
        "url": "https://github.com/advisories/GHSA-6VMC-2WH4-77QP"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-FM65-XRRR-C358 vom 2026-05-13",
        "url": "https://github.com/advisories/GHSA-FM65-XRRR-C358"
      },
      {
        "category": "external",
        "summary": "PoC CVE-2026-42945 vom 2026-05-13",
        "url": "https://github.com/p3Nt3st3r-sTAr/CVE-2026-42945-POC"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory K000161019 vom 2026-05-13",
        "url": "https://my.f5.com/manage/s/article/K000161019"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory K000161021 vom 2026-05-13",
        "url": "https://my.f5.com/manage/s/article/K000161021"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory K000161068 vom 2026-05-13",
        "url": "https://my.f5.com/manage/s/article/K000161068"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory K000161131 vom 2026-05-13",
        "url": "https://my.f5.com/manage/s/article/K000161131"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory K000161027 vom 2026-05-13",
        "url": "https://my.f5.com/manage/s/article/K000161027"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory K000161028 vom 2026-05-13",
        "url": "https://my.f5.com/manage/s/article/K000161028"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2026-094EB13BB1 vom 2026-05-14",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-094eb13bb1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8271-1 vom 2026-05-14",
        "url": "https://ubuntu.com/security/notices/USN-8271-1"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2026-FB53CB4D67 vom 2026-05-14",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-fb53cb4d67"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2026-38623B4FED vom 2026-05-14",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-38623b4fed"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17751 vom 2026-05-15",
        "url": "https://access.redhat.com/errata/RHSA-2026:17751"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17753 vom 2026-05-15",
        "url": "https://access.redhat.com/errata/RHSA-2026:17753"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17752 vom 2026-05-15",
        "url": "https://access.redhat.com/errata/RHSA-2026:17752"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:18029 vom 2026-05-18",
        "url": "https://access.redhat.com/errata/RHSA-2026:18029"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17790 vom 2026-05-15",
        "url": "https://access.redhat.com/errata/RHSA-2026:17790"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17791 vom 2026-05-15",
        "url": "https://access.redhat.com/errata/RHSA-2026:17791"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17792 vom 2026-05-16",
        "url": "https://access.redhat.com/errata/RHSA-2026:17792"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17793 vom 2026-05-15",
        "url": "https://access.redhat.com/errata/RHSA-2026:17793"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17794 vom 2026-05-16",
        "url": "https://access.redhat.com/errata/RHSA-2026:17794"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:18063 vom 2026-05-18",
        "url": "https://access.redhat.com/errata/RHSA-2026:18063"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:18041 vom 2026-05-18",
        "url": "https://access.redhat.com/errata/RHSA-2026:18041"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4589 vom 2026-05-18",
        "url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00033.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10796-1 vom 2026-05-18",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EVUBHQ3CZLOXLHHOL5Y3BXTI4PSUI2YD/"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:18041 vom 2026-05-18",
        "url": "https://errata.build.resf.org/RLSA-2026:18041"
      }
    ],
    "source_lang": "en-US",
    "title": "NGINX Open Source and NGINX Plus: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-18T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-19T05:36:18.303+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-1527",
      "initial_release_date": "2026-05-14T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-14T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-14T22:00:00.000+00:00",
          "number": "2",
          "summary": "version nicht vorhanden"
        },
        {
          "date": "2026-05-17T22:00:00.000+00:00",
          "number": "3",
          "summary": "Exploit CVE-2026-42945 best\u00e4tigt"
        },
        {
          "date": "2026-05-18T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat, Debian, openSUSE und Rocky Enterprise Software Foundation aufgenommen"
        }
      ],
      "status": "final",
      "version": "4"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Fedora Linux",
            "product": {
              "name": "Fedora Linux",
              "product_id": "74185",
              "product_identification_helper": {
                "cpe": "cpe:/o:fedoraproject:fedora:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Fedora"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Open Source \u003c1.31.0",
                "product": {
                  "name": "NGINX NGINX Open Source \u003c1.31.0",
                  "product_id": "T054115"
                }
              },
              {
                "category": "product_version",
                "name": "Open Source 1.31.0",
                "product": {
                  "name": "NGINX NGINX Open Source 1.31.0",
                  "product_id": "T054115-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx:open_source__1.31.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Open Source \u003c1.30.1",
                "product": {
                  "name": "NGINX NGINX Open Source \u003c1.30.1",
                  "product_id": "T054116"
                }
              },
              {
                "category": "product_version",
                "name": "Open Source 1.30.1",
                "product": {
                  "name": "NGINX NGINX Open Source 1.30.1",
                  "product_id": "T054116-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx:open_source__1.30.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "NGINX"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c37.0.0",
                "product": {
                  "name": "NGINX NGINX Plus \u003c37.0.0",
                  "product_id": "T054112"
                }
              },
              {
                "category": "product_version",
                "name": "37.0.0",
                "product": {
                  "name": "NGINX NGINX Plus 37.0.0",
                  "product_id": "T054112-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx_plus:37.0.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cR36 P4",
                "product": {
                  "name": "NGINX NGINX Plus \u003cR36 P4",
                  "product_id": "T054113"
                }
              },
              {
                "category": "product_version",
                "name": "R36 P4",
                "product": {
                  "name": "NGINX NGINX Plus R36 P4",
                  "product_id": "T054113-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx_plus:r36_p4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cR32 P6",
                "product": {
                  "name": "NGINX NGINX Plus \u003cR32 P6",
                  "product_id": "T054118"
                }
              },
              {
                "category": "product_version",
                "name": "R32 P6",
                "product": {
                  "name": "NGINX NGINX Plus R32 P6",
                  "product_id": "T054118-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx_plus:r32_p6"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "NGINX Plus"
          }
        ],
        "category": "vendor",
        "name": "NGINX"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "RESF Rocky Linux",
            "product": {
              "name": "RESF Rocky Linux",
              "product_id": "T032255",
              "product_identification_helper": {
                "cpe": "cpe:/o:resf:rocky_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "RESF"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-40460",
      "product_status": {
        "known_affected": [
          "T054112",
          "2951",
          "67646",
          "T000126",
          "T027843",
          "T054118",
          "T054116",
          "T032255",
          "T054115",
          "74185",
          "T054113"
        ]
      },
      "release_date": "2026-05-13T22:00:00.000+00:00",
      "title": "CVE-2026-40460"
    },
    {
      "cve": "CVE-2026-40701",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T027843",
          "T054118",
          "T054116",
          "T032255",
          "T054115",
          "74185",
          "T054113"
        ]
      },
      "release_date": "2026-05-13T22:00:00.000+00:00",
      "title": "CVE-2026-40701"
    },
    {
      "cve": "CVE-2026-42926",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T027843",
          "T054116",
          "T032255",
          "T054115",
          "74185"
        ]
      },
      "release_date": "2026-05-13T22:00:00.000+00:00",
      "title": "CVE-2026-42926"
    },
    {
      "cve": "CVE-2026-42934",
      "product_status": {
        "known_affected": [
          "T054112",
          "2951",
          "67646",
          "T000126",
          "T027843",
          "T054118",
          "T054116",
          "T032255",
          "T054115",
          "74185",
          "T054113"
        ]
      },
      "release_date": "2026-05-13T22:00:00.000+00:00",
      "title": "CVE-2026-42934"
    },
    {
      "cve": "CVE-2026-42945",
      "product_status": {
        "known_affected": [
          "T054112",
          "2951",
          "67646",
          "T000126",
          "T027843",
          "T054118",
          "T054116",
          "T032255",
          "T054115",
          "74185",
          "T054113"
        ]
      },
      "release_date": "2026-05-13T22:00:00.000+00:00",
      "title": "CVE-2026-42945"
    },
    {
      "cve": "CVE-2026-42946",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T027843",
          "T054118",
          "T054116",
          "T032255",
          "T054115",
          "74185",
          "T054113"
        ]
      },
      "release_date": "2026-05-13T22:00:00.000+00:00",
      "title": "CVE-2026-42946"
    }
  ]
}

CVE-2026-40460 (GCVE-0-2026-40460)

Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:06

Title

NGINX ngx_quic_module vulnerability

Summary

When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-290 - Authentication Bypass by Spoofing

Assigner

References

1 reference

URL	Tags
https://my.f5.com/manage/s/article/K000161068	vendor-advisorypatch

Impacted products

2 products

Vendor	Product	Version
F5	NGINX Plus	Unaffected: R37 , < * (custom) Affected: R36 , < R36 P4 (custom) Affected: R32 , < R32 P6 (custom)
F5	NGINX Open Source	Unaffected: 1.31.0 , < * (semver) Affected: 1.26.0 , < 1.30.1 (semver)

Date Public ?

2026-05-13 14:00

Credits

F5 acknowledges Rodrigo Laneth of Miralium Research for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40460",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:54:59.053463Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T16:06:43.631Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_quic_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "R37",
              "versionType": "custom"
            },
            {
              "lessThan": "R36 P4",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P6",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_quic_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.31.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.30.1",
              "status": "affected",
              "version": "1.26.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "F5 acknowledges Rodrigo Laneth of Miralium Research for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-05-13T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen NGINX Plus or NGINX Open Source are configured to use the \u003c/span\u003e\u003cstrong\u003eHTTP/3 QUIC\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting.\u0026nbsp;\u0026nbsp;\u003c/span\u003eNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC\u00a0module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290 Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T14:12:45.291Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://my.f5.com/manage/s/article/K000161068"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_quic_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-40460",
    "datePublished": "2026-05-13T14:12:45.291Z",
    "dateReserved": "2026-04-30T23:04:27.969Z",
    "dateUpdated": "2026-05-13T16:06:43.631Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40701 (GCVE-0-2026-40701)

Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:07

Title

NGINX ngx_http_ssl_module vulnerability

Summary

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-416 - Use After Free

Assigner

References

1 reference

URL	Tags
https://my.f5.com/manage/s/article/K000161021	vendor-advisorypatch

Impacted products

2 products

Vendor	Product	Version
F5	NGINX Plus	Unaffected: R37 , < * (custom) Affected: R36 , < R36 P4 (custom) Affected: R32 , < R32 P6 (custom)
F5	NGINX Open Source	Unaffected: 1.31.0 , < * (semver) Affected: 1.19.0 , < 1.30.1 (semver)

Date Public ?

2026-05-13 14:00

Credits

F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40701",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:55:34.604451Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T16:07:37.463Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_ssl_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "R37",
              "versionType": "custom"
            },
            {
              "lessThan": "R36 P4",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P6",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_http_ssl_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.31.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.30.1",
              "status": "affected",
              "version": "1.19.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-05-13T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_ssl_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module when the \u003c/span\u003e\u003cstrong\u003essl_verify_client\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive is set to \"on\" or \"optional,\" and the \u003c/span\u003e\u003cstrong\u003essl_ocsp\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive is set to \"on\" or the \u003c/span\u003e\u003cstrong\u003eleaf\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u0026nbsp;Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module\u00a0module when the ssl_verify_client\u00a0directive is set to \"on\" or \"optional,\" and the ssl_ocsp\u00a0directive is set to \"on\" or the leaf\u00a0parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting.\n\n\n\n\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T14:12:43.588Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://my.f5.com/manage/s/article/K000161021"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_ssl_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-40701",
    "datePublished": "2026-05-13T14:12:43.588Z",
    "dateReserved": "2026-04-30T23:04:27.950Z",
    "dateUpdated": "2026-05-13T16:07:37.463Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42926 (GCVE-0-2026-42926)

Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:16

Title

NGINX ngx_http_proxy_v2_module vulnerability

Summary

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

CWE

CWE-172 - Encoding Error

Assigner

References

1 reference

URL	Tags
https://my.f5.com/manage/s/article/K000161131	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
F5	NGINX Open Source	Unaffected: 1.31.0 , < * (semver) Affected: 1.29.4 , < 1.30.1 (semver)

Date Public ?

2026-05-13 14:00

Credits

F5 acknowledges Mufeed VH of Winfunc Research, Hcamael of aipyaipy, and 章鱼哥 of aipyaipy for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42926",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:54:52.773305Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T16:06:30.263Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_http_proxy_v2_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.31.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.30.1",
              "status": "affected",
              "version": "1.29.4",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "F5 acknowledges Mufeed VH of Winfunc Research, Hcamael of aipyaipy, and \u7ae0\u9c7c\u54e5 of aipyaipy for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-05-13T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen NGINX Open Source is configured to proxy HTTP/2 traffic by setting \u003c/span\u003e\u003cstrong\u003eproxy_http_version\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;to 2, and also uses \u003c/span\u003e\u003cstrong\u003eproxy_set_body\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, an attacker may be able to inject frame headers and payload bytes to the upstream peer.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version\u00a0to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-172",
              "description": "CWE-172 Encoding Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T16:16:54.456Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://my.f5.com/manage/s/article/K000161131"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_proxy_v2_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-42926",
    "datePublished": "2026-05-13T14:12:45.695Z",
    "dateReserved": "2026-05-05T21:19:09.531Z",
    "dateUpdated": "2026-05-13T16:16:54.456Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42934 (GCVE-0-2026-42934)

Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:07

Title

NGINX ngx_http_charset_module vulnerability

Summary

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-125 - Out-of-bounds Read

Assigner

References

1 reference

URL	Tags
https://my.f5.com/manage/s/article/K000161028	vendor-advisorypatch

Impacted products

2 products

Vendor	Product	Version
F5	NGINX Plus	Unaffected: R37 , < * (custom) Affected: R36 , < R36 P4 (custom) Affected: R32 , < R32 P6 (custom)
F5	NGINX Open Source	Unaffected: 1.31.0 , < * (semver) Affected: 0.3.50 , < 1.30.1 (semver)

Date Public ?

2026-05-13 14:00

Credits

F5 acknowledges David Carlier and Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42934",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:55:18.483975Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T16:07:10.334Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_charset_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "R37",
              "versionType": "custom"
            },
            {
              "lessThan": "R36 P4",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P6",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_http_charset_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.31.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.30.1",
              "status": "affected",
              "version": "0.3.50",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "F5 acknowledges David Carlier and Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-05-13T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_charset_module \u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emodule. When \u003c/span\u003e\u003cstrong\u003echarset\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, \u003c/span\u003e\u003cstrong\u003esource_charset\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, and \u003c/span\u003e\u003cstrong\u003echarset_map\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003eproxy_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;with disabled buffering (\"off\") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers\u0027 control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u0026nbsp;Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map\u00a0and proxy_pass\u00a0with disabled buffering (\"off\") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers\u0027 control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.\n\n\n\n\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125 Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T14:12:44.331Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://my.f5.com/manage/s/article/K000161028"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_charset_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-42934",
    "datePublished": "2026-05-13T14:12:44.331Z",
    "dateReserved": "2026-04-30T23:04:27.960Z",
    "dateUpdated": "2026-05-13T16:07:10.334Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42945 (GCVE-0-2026-42945)

Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-21 18:28

Title

NGINX ngx_http_rewrite_module vulnerability

Summary

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

9.2 (Critical)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-122 - Heap-based Buffer Overflow.

Assigner

References

1 reference

URL	Tags
https://my.f5.com/manage/s/article/K000161019	vendor-advisorypatch

Impacted products

2 products

Vendor	Product	Version
F5	NGINX Plus	Unaffected: R37 , < * (custom) Affected: R36 , < R36 P4 (custom) Affected: R32 , < R32 P6 (custom)
F5	NGINX Open Source	Unaffected: 1.31.0 , < * (semver) Affected: 0.6.27 , < 1.30.1 (semver)

Date Public ?

2026-05-13 14:00

Credits

F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42945",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T03:56:26.480Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-14T18:54:21.853Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://depthfirst.com/nginx-rift"
          },
          {
            "url": "https://github.com/DepthFirstDisclosures/Nginx-Rift"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_rewrite_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "R37",
              "versionType": "custom"
            },
            {
              "lessThan": "R36 P4",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P6",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_http_rewrite_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.31.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.30.1",
              "status": "affected",
              "version": "0.6.27",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-05-13T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_rewrite_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module. This vulnerability exists when the \u003c/span\u003e\u003cstrong\u003erewrite\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive is followed by a \u003c/span\u003e\u003cstrong\u003erewrite\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, \u003c/span\u003e\u003cstrong\u003eif\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, or \u003c/span\u003e\u003cstrong\u003eset\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module\u00a0module. This vulnerability exists when the rewrite\u00a0directive is followed by a rewrite, if, or set\u00a0directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122 Heap-based Buffer Overflow.",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-21T18:28:55.718Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://my.f5.com/manage/s/article/K000161019"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_rewrite_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-42945",
    "datePublished": "2026-05-13T14:12:43.971Z",
    "dateReserved": "2026-04-30T23:04:27.955Z",
    "dateUpdated": "2026-05-21T18:28:55.718Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42946 (GCVE-0-2026-42946)

Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:06

Title

NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability

Summary

A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L

8.3 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-789 - Memory Allocation with Excessive Size Value
CWE-823 - Use of Out-of-range Pointer Offset

Assigner

References

1 reference

URL	Tags
https://my.f5.com/manage/s/article/K000161027	vendor-advisorypatch

Impacted products

2 products

Vendor	Product	Version
F5	NGINX Plus	Unaffected: R37 , < * (custom) Affected: R36 , < R36 P4 (custom) Affected: R32 , < R32 P6 (custom)
F5	NGINX Open Source	Unaffected: 1.31.0 , < * (semver) Affected: 0.8.42 , < 1.30.1 (semver)

Date Public ?

2026-05-13 14:00

Credits

F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42946",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:55:04.864917Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T16:06:56.898Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_scgi_module and ngx_http_uwsgi_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "R37",
              "versionType": "custom"
            },
            {
              "lessThan": "R36 P4",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P6",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_http_scgi_module and ngx_http_uwsgi_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.31.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.30.1",
              "status": "affected",
              "version": "0.8.42",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-05-13T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability exists in the \u003c/span\u003e\u003cstrong\u003engx_http_scgi_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003engx_http_uwsgi_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;modules that may result in excessive memory allocation or an over-read of data. When \u003c/span\u003e\u003cstrong\u003escgi_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;or \u003c/span\u003e\u003cstrong\u003euwsgi_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "A vulnerability exists in the ngx_http_scgi_module\u00a0and ngx_http_uwsgi_module\u00a0modules that may result in excessive memory allocation or an over-read of data. When scgi_pass\u00a0or uwsgi_pass\u00a0is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-823",
              "description": "CWE-823: Use of Out-of-range Pointer Offset",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T14:12:44.697Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://my.f5.com/manage/s/article/K000161027"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-42946",
    "datePublished": "2026-05-13T14:12:44.697Z",
    "dateReserved": "2026-04-30T23:04:27.965Z",
    "dateUpdated": "2026-05-13T16:06:56.898Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1527

CVE-2026-40460 (GCVE-0-2026-40460)

CVE-2026-40701 (GCVE-0-2026-40701)

CVE-2026-42926 (GCVE-0-2026-42926)

CVE-2026-42934 (GCVE-0-2026-42934)

CVE-2026-42945 (GCVE-0-2026-42945)

CVE-2026-42946 (GCVE-0-2026-42946)

Tags

Sightings

Nomenclature