Exploit for CVE-2026-40175

CVE-2026-40175 — Axios CRLF Injection / HTTP Request Smuggling...

CVE-2026-33032: Nginx UI Missing MCP Authentication

Overview On March 30, 2026, a security advisory was published for a critical vulnerability affecting Nginx UI. Nginx UI is an open-source web interface to centralize the management of Nginx configurations and SSL certificates. The critical vulnerability, CVE-2026-33032, was reported in early Marc...

nginx 1.1.19 < 1.28.3 / 1.29.x < 1.29.7 Multiple Vulnerabilities in ngx_http_mp4_module

The installed version of nginx is 1.1.19 prior to 1.28.3, or 1.29.x prior to 1.29.7. It is, therefore, affected by multiple vulnerabilities : - The 32-bit implementation of NGINX Open Source has a vulnerability in the ngxhttpmp4module module, which might allow an attacker to over-read or over-wri...

AlmaLinux 9 : nginx:1.26 (ALSA-2026:7343)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:7343 advisory. nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files CVE-2026-32647 NGINX: NGINX: Denial of Service or file modification via...

nginx 0.5.13 < 1.28.3 / 1.29.x < 1.29.7 Buffer Overflow in ngx_http_dav_module

The installed version of nginx is 0.5.13 prior to 1.28.3, or 1.29.x prior to 1.29.7. It is, therefore, affected by the following issue : - NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpdavmodule module that might allow an attacker to trigger a buffer overflow to the NGINX...

nginx 1.27.2 < 1.28.3 / 1.29.x < 1.29.7 OCSP Result Bypass

The installed version of nginx is 1.27.2 prior to 1.28.3, or 1.29.x prior to 1.29.7. It is, therefore, affected by the following issue : - NGINX Plus and NGINX Open Source have a vulnerability in the ngxstreamsslmodule module due to the improper handling of revoked certificates when configured wi...

MiracleLinux 9 : nginx-1.20.1-24.el9_7.2.ML.1 (AXSA:2026-435:02)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-435:02 advisory. nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files CVE-2026-32647 NGINX: NGINX: Denial of Service or file modification...

nginx 0.6.27 < 1.28.3 / 1.29.x < 1.29.7 SMTP Upstream Injection

The installed version of nginx is 0.6.27 prior to 1.28.3, or 1.29.x prior to 1.29.7. It is, therefore, affected by the following issue : - NGINX Plus and NGINX Open Source have a vulnerability in the ngxmailsmtpmodule module due to the improper handling of CRLF sequences in DNS responses. This...

nginx 0.5.15 < 1.28.3 / 1.29.x < 1.29.7 NULL Pointer Dereference

The installed version of nginx is 0.5.15 prior to 1.28.3, or 1.29.x prior to 1.29.7. It is, therefore, affected by the following issue : - When the ngxmailauthhttpmodule module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue...

Important: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: nginx: nginx-1.30.0-1.hum1 aarch64, x8664 nginx-all-modules-1.30.0-1.hum1 noarch nginx-core-1.30.0-1.hum1 aarch64, x8664 nginx-filesystem-1.30.0-1.hum1 noarch nginx-mod-devel-1.30.0-1.hum1 aarch6...

Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover

A recently disclosed critical security flaw impacting nginx-ui, an open-source, web-based Nginx management tool, has come under active exploitation in the wild. The vulnerability in question is CVE-2026-33032 CVSS score: 9.8, an authentication bypass vulnerability that enables threat actors to...

Photon OS 4.0: Nginx PHSA-2026-4.0-0994

An update of the nginx package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2026-4.0-0994. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

Amazon Linux 2 : nginx, --advisory ALAS2NGINX1-2026-011 (ALASNGINX1-2026-011)

The version of nginx installed on the remote host is prior to 1.28.3-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NGINX1-2026-011 advisory. When the ngxmailauthhttpmodule module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause...

Photon OS 5.0: Nginx PHSA-2026-5.0-0811

An update of the nginx package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2026-5.0-0811. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

MiracleLinux 9 : nginx:1.24 (AXSA:2026-433:01)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-433:01 advisory. nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files CVE-2026-32647 NGINX: NGINX: Denial of Service or file modification...

Decidim's comments API allows access to all commentable resources

Impact The root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the /api endpoint. The /api endpoint is publicly available with the default configuration...

ROOT-OS-DEBIAN-12-CVE-2026-27651 CVE-2026-27651 in rootio-nginx - Patched by Root

Root has patched CVE-2026-27651 in the rootio-nginx package for Root:Debian:12. Multiple fixed versions available...

ROOT-OS-DEBIAN-12-CVE-2026-27654 CVE-2026-27654 in rootio-nginx - Patched by Root

Root has patched CVE-2026-27654 in the rootio-nginx package for Root:Debian:12. Multiple fixed versions available...

ROOT-OS-DEBIAN-12-CVE-2026-32647 CVE-2026-32647 in rootio-nginx - Patched by Root

Root has patched CVE-2026-32647 in the rootio-nginx package for Root:Debian:12. Multiple fixed versions available...

Oracle Linux 9 : nginx:1.26 (ELSA-2026-7343)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-7343 advisory. - Resolves: RHEL-157887 - CVE-2026-32647 nginx:1.26/nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files - Resolves:...