Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

NGINX web server critical flaws (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

NGINX had two critical web server flaws, CVE-2026-42530 and CVE-2026-42055, that can let unauthenticated remote attackers hit non-default configurations with DoS or code execution. The bugs affect ngx_http_v3_module, ngx_http_proxy_v2_module, and ngx_http_grpc_module. F5 released out-of-band fixes and temporary mitigations for affected deployments, including NGINX Plus and NGINX Open Source.

Related Happenings

NGINX and Apache HTTPD HTTP/2 Bomb mitigations

Advisory/Mitigation
H score46 First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

About this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...

Open Happening

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
H score46 First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...

Open Happening

NGINX rewrite-rule workaround for CVE-2026-42945

Advisory/Mitigation
H score23 First: 14.05.2026 18:43 Last: 14.05.2026 18:43 Sources 1

About this happening: **F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...

Open Happening

Nginx UI auth-bypass exploitation wave (CVE-2026-33032)

Exploitation Wave
H score9 First: 16.04.2026 01:35 Last: 16.04.2026 01:35 Sources 1

About this happening: **CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...

Open Happening

NGINX traffic hijacking campaign targeting Asian and government domains

Campaign
H score30 First: 05.02.2026 01:26 Last: 05.02.2026 01:26 Sources 1

About this happening: A **threat actor** is running an active **traffic-hijacking campaign** against **NGINX servers**, rerouting user requests through attacker infrastructure and increasing the risk o...

Open Happening

Timeline

  1. 18.06.2026 14:33 2 articles · 3h ago

    F5 releases out-of-band NGINX security updates

    Mitigation Patch Update

    F5 released out-of-band security updates for NGINX to address CVE-2026-42530 and CVE-2026-42055 in ngx_http_v3_module, ngx_http_proxy_v2_module, and ngx_http_grpc_module, with fixes also covering NGINX Plus, NGINX Open Source, NGINX Gateway Fabric, and NGINX Instance Manager. The flaws can let unauthenticated remote attackers on non-default configurations trigger denial-of-service or code execution, and F5 advised temporary mitigations such as disabling HTTP/3 for CVE-2026-42530 and removing ignore_invalid_headers off while reducing large_client_header_buffers for CVE-2026-42055 when patching is delayed.

    Show sources
    Open in new tab