Lucene search
K
F5Nginx Plus

26 matches found

CVE
CVE
added 2023/10/10 12:0 a.m.5303 views

CVE-2023-44487

CVE-2023-44487 – HTTP/2 Rapid Reset DoS Root cause: HTTP/2 stream resets can cause servers to continue processing, leading to unbounded resource consumption and potential DoS when clients rapidly cancel streams. What’s affected: Various HTTP/2 implementations and deployments, including servers, p...

7.5CVSS8AI score0.99999EPSS
In wild
CVE
CVE
added 2025/02/05 5:31 p.m.1388 views

CVE-2025-23419

CVE-2025-23419 affects nginx where multiple server blocks share an IP/port and an attacker can reuse TLS session tickets or the SSL session cache to bypass client certificate authentication on the default server. The issue stems from how session resumption is handled when the default server perfo...

5.3CVSS4.8AI score0.02646EPSS
CVE
CVE
added 2026/02/04 3:2 p.m.864 views

CVE-2026-1642

The CVE-2026-1642 entry describes a vulnerability in NGINX OSS and NGINX Plus when configured to proxy to upstream TLS servers. Under a MITM position on the upstream side and conditions outside the attacker’s control, an attacker may inject plain text data into the response from an upstream proxi...

8.2CVSS5.5AI score0.00339EPSS
CVE
CVE
added 2024/08/14 2:32 p.m.649 views

CVE-2024-7347

NGINX/Open Source and Plus are vulnerable when built with ngx_http_mp4_module and the mp4 directive is used; a specially crafted MP4 file can over-read worker memory, potentially terminating the process. Affected versions vary by distribution; several advisories indicate patches are available. Fo...

5.7CVSS4.7AI score0.0032EPSS
CVE
CVE
added 2024/02/14 4:30 p.m.536 views

CVE-2024-24989

CVE-2024-24989 affects NGINX Plus and NGINX Open Source when configured with the HTTP/3 QUIC module. The underlying issue is in the HTTP/3 QUIC module, which can cause NGINX worker processes to terminate, yielding a denial-of-service condition. The vulnerability is tied to the HTTP/3 QUIC module ...

7.5CVSS7.5AI score0.01061EPSS
CVE
CVE
added 2026/03/24 2:13 p.m.438 views

CVE-2026-27654

The CVE-2026-27654 entry affects NGINX Open Source and NGINX Plus via the ngx_http_dav_module. The issue is a buffer overflow that can cause the NGINX worker process to terminate or modify source/destination file names outside the document root. It is triggered when the DAV module MOVE or COPY me...

8.8CVSS6.1AI score0.21621EPSS
CVE
CVE
added 2024/02/14 4:30 p.m.430 views

CVE-2024-24990

Summary of CVE-2024-24990 (NGINX HTTP/3 QUIC): The issue affects NGINX Plus and NGINX Open Source when the HTTP/3 QUIC module is enabled. Undisclosed requests can trigger a denial-of-service by causing NGINX worker processes to terminate. In practice, this is a data-plane DoS with no control-plan...

7.5CVSS7.5AI score0.00914EPSS
CVE
CVE
added 2024/05/29 4:2 p.m.392 views

CVE-2024-31079

CVE-2024-31079 affects NGINX Plus and NGINX Open Source when using the HTTP/3 QUIC module (ngx_http_v3_module). The underlying issue is triggered by undisclosed HTTP/3 requests timed during the connection draining process, causing worker processes to terminate or similar impact. Exploitation stat...

4.8CVSS5AI score0.00872EPSS
CVE
CVE
added 2024/05/29 4:2 p.m.384 views

CVE-2024-32760

CVE-2024-32760 affects NGINX Plus and NGINX Open Source when using the HTTP/3 QUIC module (ngx_http_v3_module). The root cause is undisclosed or unspecified HTTP/3 encoder instructions that can cause NGINX worker processes to terminate, leading to DoS or other impact. Observed impact in the conne...

6.5CVSS6.3AI score0.00848EPSS
CVE
CVE
added 2026/05/13 2:12 p.m.361 views

CVE-2026-42945

CVE-2026-42945 affects NGINX Open Source and NGINX Plus via the ngx_http_rewrite_module when a rewrite/if/set directive is followed by a PCRE capture and a replacement containing a question mark. This can cause a heap buffer overflow in the worker process and, on systems with ASLR disabled, poten...

9.2CVSS6.4AI score0.61469EPSS
In wild
CVE
CVE
added 2026/03/24 2:13 p.m.353 views

CVE-2026-32647

Summary: NGINX Open Source and NGNIX Plus may be affected when built with the ngx_http_mp4_module and using the mp4 directive. The issue is a vulnerability in the module that can trigger a buffer over-read or over-write in the worker memory, potentially terminating the worker or enabling code exe...

8.5CVSS6.1AI score0.00918EPSS
CVE
CVE
added 2024/05/29 4:2 p.m.349 views

CVE-2024-35200

CVE-2024-35200 affects NGINX Plus and NGINX Open Source when the HTTP/3 QUIC module (ngx_http_v3_module) is enabled. The underlying issue causes NGINX worker processes to terminate after undisclosed HTTP/3 requests, resulting in a denial-of-service. Affected versions (per connected advisories) in...

5.3CVSS5.2AI score0.00917EPSS
CVE
CVE
added 2024/05/29 4:2 p.m.346 views

CVE-2024-34161

CVE-2024-34161 affects NGINX Plus and NGINX Open Source when using the HTTP/3 QUIC module with MTU 4096+ without fragmentation. The root cause is in the HTTP/3 QUIC module (ngx_http_v3_module) handling QUIC packets, which can cause leakage of previously freed memory in NGINX worker processes. The...

5.3CVSS5.2AI score0.00867EPSS
CVE
CVE
added 2026/05/22 2:11 p.m.304 views

CVE-2026-9256

NGINX Plus and NGINX Open Source expose a vulnerability in the ngx_http_rewrite_module when a rewrite directive uses distinct, overlapping PCRE captures (e.g., ^/((.*))$) and the replacement references multiple captures (e.g., $1$2) in redirects or arguments. An unauthenticated attacker can send ...

9.2CVSS6.2AI score0.04261EPSS
CVE
CVE
added 2026/06/17 2:4 p.m.303 views

CVE-2026-42055

CVE-2026-42055 affects NGINX Plus and NGINX Open Source via the ngx_http_proxy_v2_module and ngx_http_grpc_module. A remote, unauthenticated attacker can exploit scenarios where proxy_http_version 2 or grpc_pass is used, ignore_invalid_headers is off, and large_client_header_buffers is set to mul...

9.2CVSS6AI score0.0314EPSS
CVE
CVE
added 2026/06/17 2:4 p.m.162 views

CVE-2026-48142

CVE-2026-48142 affects the ngx_http_charset_module in NGINX Plus and NGINX Open Source. When a location block uses both source_charset utf-8 and a charset directive (e.g., charset koi8-r), remote unauthenticated attackers can trigger a heap buffer over-read in the NGINX worker process, causing me...

6.3CVSS5.6AI score0.00398EPSS
CVE
CVE
added 2026/03/24 2:13 p.m.160 views

CVE-2026-27651

CVE-2026-27651 affects the ngx_mail_auth_http_module in NGINX Plus and NGINX Open Source. When CRAM-MD5 or APOP authentication is enabled and the authentication server indicates a retry by returning the Auth-Wait header, undisclosed requests can cause worker processes to terminate. This is the st...

8.7CVSS5.8AI score0.00921EPSS
CVE
CVE
added 2025/08/13 2:46 p.m.139 views

CVE-2025-53859

Technical details about CVE-2025-53859 are not provided in the connected documents. The initial description notes an over-read in NGINX SMTP authentication, but no technical specifics are included here. Monitor for updates.

6.3CVSS7.5AI score0.00371EPSS
CVE
CVE
added 2024/08/14 2:32 p.m.107 views

CVE-2024-39792

CVE-2024-39792 : NGINX Plus configured with the MQTT pre-read module may cause memory resource exhaustion from undisclosed requests, leading to denial of service. The description notes that versions past EoTS are not evaluated. No exploits or mitigations are provided in the sources beyond this vu...

8.7CVSS7.5AI score0.00628EPSS
CVE
CVE
added 2022/10/19 9:21 p.m.95 views

CVE-2022-41743

The CVE-2022-41743 issue affects NGINX Plus versions R27 P1 and R26 P1 with the ngx_http_hls_module. A local attacker could trigger processing of a specially crafted audio/video file to corrupt NGINX worker memory, causing a crash or other impact. Exploitation is Local, requires low privileges, n...

7CVSS6.9AI score0.00214EPSS
CVE
CVE
added 2026/05/13 2:12 p.m.93 views

CVE-2026-40460

CVE-2026-40460 affects NGINX Plus ngx_quic_module and NGINX Open Source when HTTP/3 QUIC is enabled. An attacker could spoof the source IP to bypass authorization or rate limiting, potentially enabling unauthorized access or DoS. Remediation per the connected advisory: upgrade to vulnerable-produ...

6.9CVSS5.8AI score0.00367EPSS
CVE
CVE
added 2026/05/13 2:12 p.m.67 views

CVE-2026-42934

The CVE-2026-42934 entry concerns NGINX Plus and NGINX Open Source with a vulnerability in the ngx_http_charset_module. When charset, source_charset, and charset_map are configured together with proxy_pass having buffering disabled, unauthenticated attackers can trigger a heap buffer over-read in...

6.3CVSS5.9AI score0.00717EPSS
CVE
CVE
added 2026/05/13 2:12 p.m.58 views

CVE-2026-40701

The CVE-2026-40701 entry concerns NGINX’s ngx_http_ssl_module where enabling ssl_verify_client (on/optional) with ssl_ocsp (on) or leaf resolver configurations can cause a heap-use-after-free in the NGINX worker process. Impact is limited data modification or worker restart. Affected products inc...

6.3CVSS5.8AI score0.00677EPSS
CVE
CVE
added 2026/03/24 2:13 p.m.57 views

CVE-2026-28753

CVE-2026-28753 affects NGINX Plus and NGINX Open Source through the ngx_mail_smtp_module. The vulnerability arises from improper handling of CRLF sequences in DNS responses, which could allow an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, enabling poten...

6.3CVSS5.9AI score0.00264EPSS
CVE
CVE
added 2026/05/13 2:12 p.m.53 views

CVE-2026-42946

A vulnerability CVE-2026-42946 affects the NGINX ngx_http_scgi_module and ngx_http_uwsgi_module. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with MITM control over upstream responses may trigger excessive memory allocation or an out-of-bounds read in the NGINX worker, ...

8.3CVSS5.8AI score0.00932EPSS
CVE
CVE
added 2026/03/24 2:13 p.m.46 views

CVE-2026-28755

CVE-2026-28755 affects both NGINX Plus and NGINX Open Source via the ngx_stream_ssl_module . The vulnerability arises from improper handling of revoked certificates when ssl_verify_client is enabled and ssl_ocsp is on, causing the TLS handshake to succeed even after an OCSP revocation check ident...

5.4CVSS5.9AI score0.00133EPSS