// #nginx
2 articles
NGINX 18-Year-Old Heap Buffer Overflow CVE-2026-42945 — CVSS 9.2 Flaw Affects All Versions Since 0.6.27 Including Modern API Gateways
A heap buffer overflow in NGINX's chunked transfer encoding handler, present since version 0.6.27 released in 2008, has been assigned CVE-2026-42945 with a CVSS score of 9.2. The vulnerability affects all NGINX versions through the latest release and has potential for both denial-of-service and remote code execution. Patches are available and the broad deployment of NGINX as a web server, reverse proxy, and API gateway makes this a wide-impact event.
nginx-ui CVE-2026-33032 Actively Exploited — Unauthenticated Full Server Takeover
A critical authentication bypass vulnerability (CVSS 9.8) in the nginx-ui web management interface allows any network attacker to take complete control of the underlying Nginx server without credentials. Over 2,600 instances are internet-exposed and the flaw is being actively exploited. Update to version 2.3.4 immediately.