CVE-2026-27654
- EPSS 21.62%
- Veröffentlicht 24.03.2026 14:13:26
- Zuletzt bearbeitet 30.06.2026 03:17:57
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or...
CVE-2026-28753
- EPSS 0.26%
- Veröffentlicht 24.03.2026 14:13:26
- Zuletzt bearbeitet 26.03.2026 21:15:24
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream req...
CVE-2026-28755
- EPSS 0.13%
- Veröffentlicht 24.03.2026 14:13:26
- Zuletzt bearbeitet 26.03.2026 14:09:37
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to suc...
CVE-2026-32647
- EPSS 0.92%
- Veröffentlicht 24.03.2026 14:13:25
- Zuletzt bearbeitet 30.06.2026 03:18:33
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, usi...
CVE-2026-1642
- EPSS 0.34%
- Veröffentlicht 04.02.2026 15:02:06
- Zuletzt bearbeitet 13.02.2026 21:35:01
A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker...
CVE-2025-53859
- EPSS 0.37%
- Veröffentlicht 13.08.2025 14:46:55
- Zuletzt bearbeitet 04.11.2025 22:16:27
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a requ...
CVE-2025-23419
- EPSS 2.65%
- Veröffentlicht 05.02.2025 18:15:33
- Zuletzt bearbeitet 27.01.2026 13:30:41
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets ht...
CVE-2024-7347
- EPSS 0.32%
- Veröffentlicht 14.08.2024 15:15:31
- Zuletzt bearbeitet 03.11.2025 21:18:48
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is b...
CVE-2024-39792
- EPSS 0.63%
- Veröffentlicht 14.08.2024 15:15:26
- Zuletzt bearbeitet 19.08.2024 16:20:28
When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2024-35200
- EPSS 0.92%
- Veröffentlicht 29.05.2024 16:15:10
- Zuletzt bearbeitet 24.01.2025 16:15:15
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.