Lucene search
K
F5Nginx Instance Manager

16 matches found

CVE
CVE
added 2026/02/04 3:2 p.m.869 views

CVE-2026-1642

The CVE-2026-1642 entry describes a vulnerability in NGINX OSS and NGINX Plus when configured to proxy to upstream TLS servers. Under a MITM position on the upstream side and conditions outside the attacker’s control, an attacker may inject plain text data into the response from an upstream proxi...

8.2CVSS5.5AI score0.00339EPSS
CVE
CVE
added 2024/11/06 4:48 p.m.623 views

CVE-2024-10318

Summary of CVE-2024-10318: A session-fixation vulnerability in the NGINX OpenID Connect reference implementation arises from nonce validation being skipped at login. This allows an attacker to coerce a victim’s session to an attacker-controlled account, enabling potential misuse of the victim’s s...

5.4CVSS5.2AI score0.00339EPSS
CVE
CVE
added 2026/05/13 2:12 p.m.368 views

CVE-2026-42945

CVE-2026-42945 affects NGINX Open Source and NGINX Plus via the ngx_http_rewrite_module when a rewrite/if/set directive is followed by a PCRE capture and a replacement containing a question mark. This can cause a heap buffer overflow in the worker process and, on systems with ASLR disabled, poten...

9.2CVSS6.4AI score0.61469EPSS
In wild
CVE
CVE
added 2026/06/17 2:4 p.m.311 views

CVE-2026-42055

CVE-2026-42055 affects NGINX Plus and NGINX Open Source via the ngx_http_proxy_v2_module and ngx_http_grpc_module. A remote, unauthenticated attacker can exploit scenarios where proxy_http_version 2 or grpc_pass is used, ignore_invalid_headers is off, and large_client_header_buffers is set to mul...

9.2CVSS6AI score0.03459EPSS
CVE
CVE
added 2026/06/17 2:4 p.m.264 views

CVE-2026-42530

Summary : NGINX Open Source’s ngx_http_v3_module vulnerability (CVE-2026-42530) occurs when HTTP/3 QUIC is enabled. A remote unauthenticated attacker can craft an HTTP/3 session to reopen a QPACK encoder stream, causing a Use-after-Free in the NGINX worker process and potentially triggering a res...

9.2CVSS5.7AI score0.03225EPSS
CVE
CVE
added 2026/06/17 2:4 p.m.165 views

CVE-2026-48142

CVE-2026-48142 affects the ngx_http_charset_module in NGINX Plus and NGINX Open Source. When a location block uses both source_charset utf-8 and a charset directive (e.g., charset koi8-r), remote unauthenticated attackers can trigger a heap buffer over-read in the NGINX worker process, causing me...

6.3CVSS5.6AI score0.00398EPSS
CVE
CVE
added 2024/08/22 6:7 p.m.107 views

CVE-2024-7634

CVE-2024-7634 affects the NGINX Agent component (NGINX Agent) where the config_dirs restriction feature allows a highly privileged attacker to write/overwrite files outside the designated secure directory. Public sources (F5 advisory) indicate a path traversal-related issue with the affected rang...

6.9CVSS5.2AI score0.00471EPSS
CVE
CVE
added 2026/05/13 2:12 p.m.105 views

CVE-2026-42926

The connected F5 advisory confirms CVE-2026-42926 affects NGINX Open Source’s ngx_http_proxy_v2_module when proxy_http_version is set to 2 and proxy_set_body is used. The vulnerability allows a remote attacker to inject arbitrary HTTP/2 frame headers and payload bytes into the upstream connection...

6.3CVSS5.8AI score0.00339EPSS
Web
CVE
CVE
added 2022/08/04 5:49 p.m.98 views

CVE-2022-35241

CVE-2022-35241 affects NGINX Instance Manager (NGINX IM) and is documented by F5 as an issue where undisclosed requests can cause increased disk resource utilization, enabling a remote, authenticated attacker to degrade system performance (DoS). Affected branches: NGINX IM 2.x (2.0.0–2.3.0) with ...

6.5CVSS6.8AI score0.00658EPSS
CVE
CVE
added 2026/05/13 2:12 p.m.96 views

CVE-2026-40460

CVE-2026-40460 affects NGINX Plus ngx_quic_module and NGINX Open Source when HTTP/3 QUIC is enabled. An attacker could spoof the source IP to bypass authorization or rate limiting, potentially enabling unauthorized access or DoS. Remediation per the connected advisory: upgrade to vulnerable-produ...

6.9CVSS5.8AI score0.00367EPSS
CVE
CVE
added 2023/03/29 4:34 p.m.91 views

CVE-2023-1550

CVE-2023-1550 (NGINX Agent) affects NGINX Agent versions 2.0 through 2.23.2. The issue arises from inserting sensitive information into log files, exposed when non-default trace level logging is enabled. An authenticated attacker with local access to read agent log files may gain access to privat...

5.5CVSS5.1AI score0.00218EPSS
CVE
CVE
added 2023/05/03 2:34 p.m.84 views

CVE-2023-28656

CVE-2023-28656 – NGINX Management Suite : An authenticated attacker may bypass authorization to access configuration objects outside their assigned environment, a control-plane issue with no data-plane exposure reported. The vulnerability affects NGINX Management Suite components (NGINX Instance ...

8.1CVSS8.1AI score0.00528EPSS
CVE
CVE
added 2023/05/03 2:34 p.m.80 views

CVE-2023-28724

CVE-2023-28724 affects NGINX Management Suite components (NGINX Instance Manager and NGINX API Connectivity Manager). The root cause is incorrect default file permissions, allowing an authenticated attacker to modify sensitive files and potentially escalate privileges. Affected vulnerable ranges ...

7.1CVSS7AI score0.00171EPSS
CVE
CVE
added 2026/05/13 2:12 p.m.68 views

CVE-2026-42934

The CVE-2026-42934 entry concerns NGINX Plus and NGINX Open Source with a vulnerability in the ngx_http_charset_module. When charset, source_charset, and charset_map are configured together with proxy_pass having buffering disabled, unauthenticated attackers can trigger a heap buffer over-read in...

6.3CVSS5.9AI score0.00717EPSS
CVE
CVE
added 2026/05/13 2:12 p.m.59 views

CVE-2026-40701

The CVE-2026-40701 entry concerns NGINX’s ngx_http_ssl_module where enabling ssl_verify_client (on/optional) with ssl_ocsp (on) or leaf resolver configurations can cause a heap-use-after-free in the NGINX worker process. Impact is limited data modification or worker restart. Affected products inc...

6.3CVSS5.8AI score0.00677EPSS
CVE
CVE
added 2026/05/13 2:12 p.m.54 views

CVE-2026-42946

A vulnerability CVE-2026-42946 affects the NGINX ngx_http_scgi_module and ngx_http_uwsgi_module. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with MITM control over upstream responses may trigger excessive memory allocation or an out-of-bounds read in the NGINX worker, ...

8.3CVSS5.8AI score0.00932EPSS