6.9

CVE-2026-40460

Medienbericht

NGINX ngx_quic_module vulnerability

When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
F5Dos SwPlatformnginx Version >= 4.3.0 <= 4.7.0
F5Dos Version4.8.0 SwPlatformnginx
F5Nginx Gateway Fabric Version >= 1.3.0 <= 1.6.2
F5Nginx Gateway Fabric Version >= 2.0.0 <= 2.6.0
F5Nginx Ingress Controller Version >= 3.5.0 <= 3.7.2
F5Nginx Ingress Controller Version >= 4.0.0 <= 4.0.1
F5Nginx Ingress Controller Version >= 5.0.0 <= 5.4.2
F5Nginx Instance Manager Version >= 2.16.0 <= 2.22.0
F5Nginx Open Source Version >= 1.25.0 <= 1.30.0
F5Nginx Plus Version >= r32 <= r36
F5Waf SwPlatformnginx Version >= 4.9.0 <= 4.16.0
F5Waf SwPlatformnginx Version >= 5.1.0 <= 5.8.0
F5Waf SwPlatformnginx Version >= 5.9.0 <= 5.12.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.37% 0.285
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
f5sirt@f5.com 6.9 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
f5sirt@f5.com 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
19.05.2026 09:16
https://my.f5.com/manage/s/article/K000161068
Vendor Advisory