Exploit for Missing Encryption of Sensitive Data in Nginxui Nginx_Ui

CVE-2026-27944 POC: Nginx UI Unauthenticated Backup Download +...

GHSA-G9W5-QFFC-6762 Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure

Summary The /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data user credentials,...