6242 matches found
Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation
The nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory /etc/nginx. In particular, this allows an authenticated us...
nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval
An input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service DoS. By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive...
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys
Nginx-UI contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a userid field, and all resource endpoints perform queries by ID without verifyin...
nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover
The nginx-ui MCP Model Context Protocol integration exposes two HTTP endpoints: /mcp and /mcpmessage. While /mcp requires both IP whitelisting and authentication AuthRequired middleware, the /mcpmessage endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the...
PT-2026-29088
Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.4 Description Nginx UI improperly handles URL-encoded traversal sequences in its configuration, potentially leading to a partial Denial of Service. Specifically, specially crafted paths can cause the backend to...
PT-2026-29090
Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.4 Description An input validation issue in the logrotate configuration allows an authenticated user to cause a Denial of Service DoS. Submitting a negative integer for the rotation interval causes the backend to...
PT-2026-29103
Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.4 Description Nginx UI, a web user interface for the Nginx web server, contains a flaw in its backup restore mechanism. Prior to version 2.3.4, attackers can manipulate encrypted backup archives and inject...
PT-2026-29091
Nginx-UI and Affected Versions Nginx-UI versions 2.3.3 and prior Description Nginx-UI contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a us...
PT-2026-29089
Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.4 Description Nginx UI is susceptible to a race condition due to the absence of synchronization mechanisms and non-atomic file writes. Concurrent requests can severely corrupt the primary configuration file...
ANT-2026-VS18SA90 · nginx · Arbitrary File Write
arbitrary-file-write critical CVE-2026-27654 Severity Claude critical · Security research firm critical · Maintainer - Discovered by Claude Mythos Preview REPORT Anthropic's analysis, sealed at approval. Disclosure to the maintainer was performed by Calif. ANT-2026-VS18SA90: unauthenticated remot...
SUSE CVE-2026-4342
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. Note that i...
CVE-2026-33029
creationtimestamp| type| source ---|---|--- 2026-03-28 03:20:34+00:00| published-proof-of-concept| https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-cp8r-8jvw-v3qg...
CVE-2026-33027
creationtimestamp| type| source ---|---|--- 2026-03-28 03:19:28+00:00| published-proof-of-concept| https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m8p8-53vf-8357...
PT-2026-29092
Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.6 Description An authentication bypass exists in the Model Context Protocol MCP integration of Nginx UI. The software exposes two HTTP endpoints: '/mcp' and '/mcp message'. While '/mcp' requires both IP...
nginx-1.29.7-1.1 on GA media (moderate)
nginx-1.29.7-1.1 on GA media Announcement ID: openSUSE-SU-2026:10423-1 Rating: moderate Cross-References: CVE-2026-27651 CVE-2026-27654 CVE-2026-27784 CVE-2026-28753 CVE-2026-28755 CVE-2026-32647 CVSS scores: CVE-2026-27651 SUSE : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-27651 SU...
Vulnerabilities fixed in F5 Networks BIG-IP, F5OS and NGINX App Protect WAF
F5 Networks has fixed vulnerabilities in the BIG-IP and F5OS product lines and NGINX App Protect WAF. The vulnerabilities include several configuration issues and exploit vectors. A malicious party can exploit the vulnerabilities to launch attacks that can lead to the following categories of...
GHSA-67JX-R9PV-98RJ Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass
Summary There is a potential vulnerability in Traefik's Kubernetes Knative, Ingress, and Ingress-NGINX providers related to rule injection. User-controlled values are interpolated into backtick-delimited Traefik router rule expressions without escaping or validation. A malicious value containing ...
RLSA-2026:4705 Moderate: nginx security update
nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fixes: nginx: NGINX: Data injection via man-in-the-middle attack on TLS proxied connections CVE-2026-1642 For more details about the security issues,...
nginx security update
An update is available for nginx. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list nginx is a web and proxy server supporting HTTP and other protocols, with a...
NGINX ngx_http_mp4_module vulnerability
...