Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

F5 NGINX out-of-band security updates (multiple vulnerabilities)

Security Patch Release
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

F5 released out-of-band security updates for NGINX after finding multiple web server vulnerabilities, including two critical flaws that could enable remote code execution or denial of service on affected systems. The fixes cover NGINX Plus, NGINX Open Source, NGINX Gateway Fabric, and NGINX Instance Manager. Administrators unable to patch immediately have product-specific mitigations, but the release remains urgent because the flaws affect vulnerable non-default configurations.

Related Happenings

Nginx security patch release for CVE-2026-49975

Security Patch Release
H score42 First: 03.06.2026 22:08 Last: 03.06.2026 22:08 Sources 1

About this happening: Vendors released fixes for the **HTTP/2 Bomb** DoS issue, closing a path that could let a **single client** exhaust server memory within seconds. The patch set covers **nginx 1.29...

Open Happening

NGINX and Apache HTTPD HTTP/2 Bomb mitigations

Advisory/Mitigation
H score46 First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

About this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...

Open Happening

NGINX rewrite-rule workaround for CVE-2026-42945

Advisory/Mitigation
H score23 First: 14.05.2026 18:43 Last: 14.05.2026 18:43 Sources 1

About this happening: **F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...

Open Happening

F5 security patch release for CVE-2026-42945

Security Patch Release
H score25 First: 14.05.2026 09:00 Last: 14.05.2026 09:00 Sources 1

About this happening: F5 released **security fixes** for **NGINX Plus** and **NGINX Open Source** after disclosing **multiple vulnerabilities**, including **CVE-2026-42945**. The patch release covers i...

Latest development: 17.05.2026 14:57

VulnCheck reported active exploitation of CVE-2026-42945 against NGINX Plus and NGINX Open, saying honeypot networks saw weaponized crafted HTTP requests that can crash worker processes and, when ASLR is disabled, enable remote code execution.

Open Happening

CISA order to secure BIG-IP APM

Public Sector Action
H score89 First: 30.03.2026 13:59 Last: 30.03.2026 13:59 Sources 1

About this happening: **CISA** added **CVE-2025-53521** to its actively exploited list and ordered **federal agencies** to secure **BIG-IP APM** systems by **midnight on Monday, March 30, 2026**, escal...

Open Happening

Timeline

  1. 18.06.2026 14:33 2 articles · 3h ago

    F5 releases out-of-band patches for critical NGINX vulnerabilities

    Mitigation Patch Update

    F5 released out-of-band security updates for NGINX to address CVE-2026-42530 and CVE-2026-42055, two critical flaws in ngx_http_v3_module and ngx_http_proxy_v2_module/ngx_http_grpc_module that unauthenticated remote attackers could abuse on non-default configurations for denial of service or code execution. F5 also fixed CVE-2026-11311 and CVE-2026-50107 in NGINX Gateway Fabric, which allow authenticated attackers to inject arbitrary NGINX configuration directives, and provided temporary mitigations such as disabling HTTP/3 or adjusting header-related directives for environments that cannot patch immediately.

    Show sources
    Open in new tab