CVE-2026-27944

Medienbericht

Exploit

EPSS 4.19%
Veröffentlicht 05.03.2026 16:28:13
Zuletzt bearbeitet 10.03.2026 18:11:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nginxui ≫ Nginx Ui Version < 2.3.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	4.19%	0.887

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

CWE-311 Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

https://thehackernews.com/2026/03/weekly-recap-chrome-0-days-router.html

Medienbericht

TheHackersNews

17.03.2026 22:19

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-27944

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27944

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27944

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27944