PT-2026-33848

Summary All WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking CSWSH. Combined with the fact that authentication tokens are stored in browser cookies set via JavaScript without HttpOnly or...

Exploit for Missing Authentication for Critical Function in Nginxui Nginx_Ui

CVE-2026-33032 / MCPwn !CVEhttps://img.shields.io/badge/C...

Exploit for Missing Authentication for Critical Function in Nginxui Nginx_Ui

CVE-2026-27944 + CVE-2026-33032 — nginx-ui Zero-Credential RCE...

CVE-2026-33032: Nginx UI Missing MCP Authentication

Overview On March 30, 2026, a security advisory was published for a critical vulnerability affecting Nginx UI. Nginx UI is an open-source web interface to centralize the management of Nginx configurations and SSL certificates. The critical vulnerability, CVE-2026-33032, was reported in early Marc...

Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover

A recently disclosed critical security flaw impacting nginx-ui, an open-source, web-based Nginx management tool, has come under active exploitation in the wild. The vulnerability in question is CVE-2026-33032 CVSS score: 9.8, an authentication bypass vulnerability that enables threat actors to...

SUSE CVE-2026-33026

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4...

SUSE CVE-2026-33027

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operati...

SUSE CVE-2026-33028

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms Mutex and non-atomic file writes, concurrent requests lead to the severe corruption of the prima...

SUSE CVE-2026-33029

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service DoS. By submitting a negative integer for the rotation interval, the backend enter...

SUSE CVE-2026-33030

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct...

SUSE CVE-2026-33032

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP Model Context Protocol integration exposes two HTTP endpoints: /mcp and /mcpmessage. While /mcp requires both IP whitelisting and authentication AuthRequired middleware, the /mcpmessage endpoi...

Exploit for Missing Authentication for Critical Function in Nginxui Nginx_Ui

CVE-2026-33032 Scanner Non-destructive vulnerability scanne...

GO-2026-4904 nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover in github.com/0xJacky/Nginx-UI

nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover in github.com/0xJacky/Nginx-UI...

GO-2026-4902 nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval in github.com/0xJacky/Nginx-UI

nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval in github.com/0xJacky/Nginx-UI...

GO-2026-4906 nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse in github.com/0xJacky/Nginx-UI

nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse in github.com/0xJacky/Nginx-UI...

GO-2026-4903 nginx-ui Backup Restore Allows Tampering with Encrypted Backups in github.com/0xJacky/Nginx-UI

nginx-ui Backup Restore Allows Tampering with Encrypted Backups in github.com/0xJacky/Nginx-UI...

PT-2026-29950

Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation in github.com/0xJacky/Nginx-UI...

PT-2026-29945

nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval in github.com/0xJacky/Nginx-UI...

PT-2026-29944

nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys in github.com/0xJacky/nginx-ui...

PT-2026-29946

nginx-ui Backup Restore Allows Tampering with Encrypted Backups in github.com/0xJacky/Nginx-UI...