Feed›Vulnerability›Critical 18-Year-Old NGINX Vulnerability Enables Remote Code...

VulnerabilityCyber Security News

8.1 — CRITICAL

Critical 18-Year-Old NGINX Vulnerability Enables Remote Code Execution Attacks – PoC Released

📅 14 May 2026 at 06:27 UTC📰 Cyber Security NewsView original source ↗

A critical heap buffer overflow vulnerability, lurking in NGINX’s source code since 2008, has been publicly disclosed. Complete with a working proof-of-concept exploit capable of delivering unauthenticated remote code execution (RCE) against one of the world’s most widely deployed web servers. Assigned a CVSS score of 9.2, CVE-2026-42945 resides in NGINX’s ngx_http_rewrite_module. This engine powers URL rewriting and […] The post Critical 18-Year-Old NGINX Vulnerability Enables Remote Code Execution Attacks – PoC Released appeared first on Cyber Security News.

🤖 AI BriefingAuto-generated threat analysis

🔍Threat Overview

A critical heap buffer overflow vulnerability in NGINX's source code since 2008 has been publicly disclosed, enabling unauthenticated remote code execution attacks with a working proof-of-concept exploit. The vulnerability, CVE-2026-42945, affects NGINX Plus and Open Source.

⚙️Technical Details

CVEs

CVE-2026-42945

Affected Systems

NGINX PlusNGINX Open Source

Attack Vectors

NETWORK

💥Impact Assessment

Severity: Critical

🛡️Recommended Actions

1Apply a patch or update to the affected NGINX version as soon as possible.

2Disable the rewrite directive and set directives until a fix is available.

3Monitor for signs of exploitation and implement additional security controls.

📦Affected Products

NGINX PlusNGINX Open Source

🔐NVD Verified DataVERIFIED

CVE-2026-42945 ↗CVSS 8.1 — HIGH

Attack Vector

NETWORK

Complexity

HIGH

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CWE-122

Read the full article

This is a curated summary. The complete article is available at Cyber Security News.

Read on Cyber Security News ↗

← Back to feed