VulnerabilityBleeping Computer
8.1 — CRITICAL
18-year-old NGINX vulnerability allows DoS, potential RCE
An 18-year-old flaw in the NGINX open-source web server, discovered using an autonomous scanning system, can be exploited for denial of service and, under certain conditions, remote code execution. [...]
🤖 AI BriefingAuto-generated threat analysis
🔍Threat Overview
An 18-year-old vulnerability in NGINX web server allows for denial-of-service and, under certain conditions, remote code execution, impacting a third of top-ranked websites.
⚙️Technical Details
💥Impact Assessment
Severity: critical
Who Is at Risk
NGINX users with vulnerable configurations, including cloud providers, SaaS companies, banks, media platforms, e-commerce sites, and Kubernetes clusters
🛡️Recommended Actions
1Upgrade to NGINX Open Source version 1.31.0 or 1.30.1
2Replace unnamed PCRE capture groups in vulnerable 'rewrite' rules with named captures
3Disable ASLR protection against memory-based attacks when using NGINX
📦Affected Products
NGINX Open Source versions 0.6.27 through 1.30.0NGINX Plus R32 through R36NGINX Instance Manager 2.16.0 through 2.21.1F5 WAF for NGINX 5.9.0 through 5.12.1NGINX App Protect WAF 4.9.0 through 4.16.0 and 5.1.0 through 5.8.0
🔐NVD Verified DataVERIFIED
CVE-2026-42945 ↗CVSS 8.1 — HIGH
Attack Vector
NETWORK
Complexity
HIGH
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HWeaknesses
CWE-122
CVE-2026-42946 ↗CVSS 6.5 — MEDIUM
Attack Vector
NETWORK
Complexity
HIGH
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:LWeaknesses
CWE-789CWE-823
CVE-2026-40701 ↗CVSS 4.8 — MEDIUM
Attack Vector
NETWORK
Complexity
HIGH
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:LWeaknesses
CWE-416
CVE-2026-42934 ↗CVSS 4.8 — MEDIUM
Attack Vector
NETWORK
Complexity
HIGH
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:LWeaknesses
CWE-125
Read the full article
This is a curated summary. The complete article is available at Bleeping Computer.