rpm package
almalinux/nginx-mod-devel
pkg:rpm/almalinux/nginx-mod-devel
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-9256 | Hig | 8.1 | < 1:1.24.0-7.module_el9.8.0+259+a3b861bb.2.alma.1 | 1:1.24.0-7.module_el9.8.0+259+a3b861bb.2.alma.1 | May 22, 2026 | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replac | |
| CVE-2026-42945 | Hig | 8.1 | < 2:1.20.1-24.el9_7.3.alma.1 | 2:1.20.1-24.el9_7.3.alma.1 | May 13, 2026 | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) | |
| CVE-2026-27651 | — | < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1 | 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1 | Mar 24, 2026 | When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by retu | ||
| CVE-2026-27654 | — | < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1 | 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1 | Mar 24, 2026 | NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or des | ||
| CVE-2026-32647 | — | < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1 | 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1 | Mar 24, 2026 | NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 fil | ||
| CVE-2026-27784 | — | < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1 | 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1 | Mar 24, 2026 | The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX | ||
| CVE-2026-1642 | — | < 1:1.24.0-5.module_el9.7.0+212+9d3c155a.1.alma.1 | 1:1.24.0-5.module_el9.7.0+212+9d3c155a.1.alma.1 | Feb 4, 2026 | A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inje | ||
| CVE-2024-7347 | — | < 1:1.22.1-8.module_el9.5.0+153+8c633b18.1.alma.1 | 1:1.22.1-8.module_el9.5.0+153+8c633b18.1.alma.1 | Aug 14, 2024 | NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_mod | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 1:1.20.1-14.el9_2.1.alma.1 | 1:1.20.1-14.el9_2.1.alma.1 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2022-41742 | — | < 2:1.20.1-22.el9_6.2.alma.1 | 2:1.20.1-22.el9_6.2.alma.1 | Oct 19, 2022 | NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process | ||
| CVE-2022-41741 | — | < 2:1.20.1-22.el9_6.2.alma.1 | 2:1.20.1-22.el9_6.2.alma.1 | Oct 19, 2022 | NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker m |
- affected < 1:1.24.0-7.module_el9.8.0+259+a3b861bb.2.alma.1fixed 1:1.24.0-7.module_el9.8.0+259+a3b861bb.2.alma.1
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replac
- affected < 2:1.20.1-24.el9_7.3.alma.1fixed 2:1.20.1-24.el9_7.3.alma.1
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2)
- CVE-2026-27651Mar 24, 2026affected < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1fixed 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by retu
- CVE-2026-27654Mar 24, 2026affected < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1fixed 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or des
- CVE-2026-32647Mar 24, 2026affected < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1fixed 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 fil
- CVE-2026-27784Mar 24, 2026affected < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1fixed 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX
- CVE-2026-1642Feb 4, 2026affected < 1:1.24.0-5.module_el9.7.0+212+9d3c155a.1.alma.1fixed 1:1.24.0-5.module_el9.7.0+212+9d3c155a.1.alma.1
A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inje
- CVE-2024-7347Aug 14, 2024affected < 1:1.22.1-8.module_el9.5.0+153+8c633b18.1.alma.1fixed 1:1.22.1-8.module_el9.5.0+153+8c633b18.1.alma.1
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_mod
- affected < 1:1.20.1-14.el9_2.1.alma.1fixed 1:1.20.1-14.el9_2.1.alma.1
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2022-41742Oct 19, 2022affected < 2:1.20.1-22.el9_6.2.alma.1fixed 2:1.20.1-22.el9_6.2.alma.1
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process
- CVE-2022-41741Oct 19, 2022affected < 2:1.20.1-22.el9_6.2.alma.1fixed 2:1.20.1-22.el9_6.2.alma.1
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker m