CVE-2026-42926

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxyhttpversion to 2, and also uses proxysetbody, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support EoTS are not...

CVE-2026-42926

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxyhttpversion to 2, and also uses proxysetbody, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support EoTS are not...

CVE-2026-42926

The connected F5 advisory confirms CVE-2026-42926 affects NGINX Open Source’s ngx_http_proxy_v2_module when proxy_http_version is set to 2 and proxy_set_body is used. The vulnerability allows a remote attacker to inject arbitrary HTTP/2 frame headers and payload bytes into the upstream connection...

nginx 0.6.27 < 1.28.3 / 1.29.x < 1.29.7 SMTP Upstream Injection

The installed version of nginx is 0.6.27 prior to 1.28.3, or 1.29.x prior to 1.29.7. It is, therefore, affected by the following issue : - NGINX Plus and NGINX Open Source have a vulnerability in the ngxmailsmtpmodule module due to the improper handling of CRLF sequences in DNS responses. This...

Amazon Linux 2 : nginx, --advisory ALAS2NGINX1-2026-010 (ALASNGINX1-2026-010)

The version of nginx installed on the remote host is prior to 1.28.2-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2NGINX1-2026-010 advisory. A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security TLS servers. A...

SSL upstream injection

SSL upstream injection Severity: medium CVE-2026-1642 Not vulnerable: 1.29.5+, 1.28.2+ Vulnerable: 1.3.0-1.29.4...