VYPR

Nginx

by Nginx

Source repositories

CVEs (58)

  • CVE-2016-0746CriFeb 15, 2016
    risk 0.64cvss 9.8epss 0.09

    Use-after-free vulnerability in the resolver in nginx 0.6.18 through 1.8.0 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (worker process crash) or possibly have unspecified other impact via a crafted DNS response related to CNAME response…

  • CVE-2016-0742HigFeb 15, 2016
    risk 0.55cvss 7.5epss 0.82

    The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid pointer dereference and worker process crash) via a crafted UDP DNS response.

  • CVE-2017-7529HigJul 13, 2017
    risk 0.54cvss 7.5epss 0.63

    Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.

  • CVE-2016-1247HigNov 29, 2016
    risk 0.54cvss 7.8epss 0.05

    The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS, and before 1.10.1-0ubuntu1.1 on Ubuntu 16.10, and the nginx ebuild before 1.10.2-r3 on Gentoo allow local…

  • CVE-2026-8711HigMay 19, 2026
    risk 0.53cvss 8.1epss 0.01

    NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker…

  • CVE-2026-42945HigMay 13, 2026
    risk 0.53cvss 8.1epss 0.61

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1,…

  • CVE-2016-4450HigJun 7, 2016
    risk 0.50cvss 7.5epss 0.16

    os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file.

  • CVE-2026-40460MedMay 13, 2026
    risk 0.42cvss 6.5epss 0.00

    When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting.  Note: Software versions which have reached End of Technical Support…

  • CVE-2026-42926MedMay 13, 2026
    risk 0.38cvss 5.8epss 0.00

    When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.  Note: Software versions which have reached End of Technical…

  • CVE-2016-0747MedFeb 15, 2016
    risk 0.35cvss 5.3epss 0.08

    The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution.

  • CVE-2026-42934MedMay 13, 2026
    risk 0.31cvss 4.8epss 0.01

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions…

  • CVE-2021-23017Jun 1, 2021
    risk 0.09cvss epss 0.53

    A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.

  • CVE-2010-2263Jun 15, 2010
    risk 0.09cvss epss 0.72

    nginx 0.8 before 0.8.40 and 0.7 before 0.7.66, when running on Windows, allows remote attackers to obtain source code or unparsed content of arbitrary files under the web document root by appending ::$DATA to the URI.

  • CVE-2013-4547Nov 23, 2013
    risk 0.08cvss epss 0.68

    nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.

  • CVE-2009-2629Sep 15, 2009
    risk 0.08cvss epss 0.67

    Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests.

  • CVE-2018-16843Nov 7, 2018
    risk 0.05cvss epss 0.47

    nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is…

  • CVE-2010-2266Jun 15, 2010
    risk 0.05cvss epss 0.22

    nginx 0.8.36 allows remote attackers to cause a denial of service (crash) via certain encoded directory traversal sequences that trigger memory corruption, as demonstrated using the "%c0.%c0." sequence.

  • CVE-2009-4487Jan 13, 2010
    risk 0.05cvss epss 0.27

    nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

  • CVE-2024-49368Oct 21, 2024
    risk 0.04cvss epss 0.23

    Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and directly passes it to exec.Command, causing arbitrary command execution. Version 2.0.0-beta.36 fixes this issue.

  • CVE-2009-3898Nov 24, 2009
    risk 0.04cvss epss 0.16

    Directory traversal vulnerability in src/http/modules/ngx_http_dav_module.c in nginx (aka Engine X) before 0.7.63, and 0.8.x before 0.8.17, allows remote authenticated users to create or overwrite arbitrary files via a .. (dot dot) in the Destination HTTP header for the WebDAV…

Page 1 of 3