Unrated severityNVD Advisory· Published Mar 24, 2026· Updated Mar 24, 2026
NGINX ngx_mail_proxy_module vulnerability
CVE-2026-28753
Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Affected products
6(expand)+ 1 more
- (no CPE)
- (no CPE)range: R36
- osv-coords3 versions
>= 0.6.27, < 1.28.3+ 2 more
- (no CPE)range: >= 0.6.27, < 1.28.3
- (no CPE)range: >= 0.6.27, < 1.28.3
- (no CPE)range: < 1.29.7-1.1
Patches
Vulnerability mechanics
References
1- my.f5.com/manage/s/article/K000160367mitrevendor-advisory
News mentions
0No linked articles in our index yet.