Find notable cyber news and cases, enriched with sources, timelines, and signals.

NGINX rewrite-rule workaround for CVE-2026-42945

Advisory/Mitigation
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

F5 issued a workaround for vulnerable NGINX rewrite rules, reducing exposure to CVE-2026-42945 for operators who cannot upgrade immediately. The guidance replaces unnamed PCRE capture groups ($1, $2, etc.) with named captures. That change removes the main exploitation prerequisite in affected NGINX configurations. The mitigation is meant to bridge deployments until fixed versions can be installed.

Related Happenings

F5 security patch release for CVE-2026-42530

Security Patch Release
H score39 First: 18.06.2026 20:32 Last: 18.06.2026 20:32 Sources 1

About this happening: **F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...

NGINX web server critical flaws (multiple vulnerabilities)

Vulnerability
H score38 First: 18.06.2026 14:33 Last: 18.06.2026 14:33 Sources 1

About this happening: **NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...

F5 NGINX out-of-band security updates (multiple vulnerabilities)

Security Patch Release
H score34 First: 18.06.2026 14:33 Last: 18.06.2026 14:33 Sources 1

About this happening: **F5** released **out-of-band security updates** for **NGINX** after finding multiple web server vulnerabilities, including **two critical flaws** that could enable **remote code...

Nginx security patch release for CVE-2026-49975

Security Patch Release
H score42 First: 03.06.2026 22:08 Last: 03.06.2026 22:08 Sources 1

About this happening: Vendors released fixes for the **HTTP/2 Bomb** DoS issue, closing a path that could let a **single client** exhaust server memory within seconds. The patch set covers **nginx 1.29...

Ivanti security patch release for CVE-2026-8043

Security Patch Release
H score25 First: 18.05.2026 13:54 Last: 18.05.2026 13:54 Sources 1

About this happening: **Ivanti, Fortinet, SAP, Broadcom, and n8n** released **security fixes** on **2026-05-18** for flaws that could enable **authentication bypass**, **remote code execution**, **SQL...

Timeline

  1. 14.05.2026 18:43 1 articles · 1mo ago

    DepthFirst AI discovers CVE-2026-42945 in NGINX

    Technical Analysis Update

    DepthFirst AI identifies CVE-2026-42945, an 18-year-old heap buffer overflow in NGINX Open Source, during a six-hour autonomous code scanning session.

    Show sources
  2. 13.05.2026 03:00 2 articles · 1mo ago

    F5 releases a workaround for vulnerable NGINX rewrite rules

    Mitigation Patch Update

    F5 releases mitigation guidance for vulnerable NGINX rewrite rules, advising operators who cannot upgrade to replace unnamed PCRE capture groups ($1, $2, etc.) with named captures so the main exploitation prerequisite is removed.

    Show sources
  3. 21.04.2026 03:00 1 articles · 2mo ago

    Researchers report CVE-2026-42945 to the vendor

    Initial Disclosure

    Researchers report CVE-2026-42945 to the vendor, identifying a heap buffer overflow in ngx_http_rewrite_module that affects NGINX versions 0.6.27 through 1.30.0.

    Show sources