216.73.216.233

CVE-2026-8711

· Published 19/05/2026 15:16 · Modified 19/05/2026 17:57

Labels: CVE-2026-8711 2026-05-19CVE-2026-8711CWE-122[email protected]

Essential information

Published
19/05/2026 15:16
Modified
19/05/2026 17:57
Author
Creator
CVSS
9.2 CRITICAL (v3) 9.2 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
f5 / nginx cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
nginx / nginx cpe:2.3:a:nginx:nginx:*:*:*:*:*:*:*:*

References