VYPR

Nginx

by Nginx

Source repositories

CVEs (58)

  • CVE-2013-2028Jul 20, 2013
    risk 0.03cvss epss 0.87

    The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness…

  • CVE-2018-16844Nov 7, 2018
    risk 0.01cvss epss 0.12

    nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in…

  • CVE-2014-3556Dec 29, 2014
    risk 0.01cvss epss 0.08

    The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by…

  • CVE-2014-0088Apr 29, 2014
    risk 0.01cvss epss 0.09

    The SPDY implementation in the ngx_http_spdy_module module in nginx 1.5.10 before 1.5.11, when running on a 32-bit platform, allows remote attackers to execute arbitrary code via a crafted request.

  • CVE-2014-0133Mar 28, 2014
    risk 0.01cvss epss 0.09

    Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request.

  • CVE-2013-2070Jul 20, 2013
    risk 0.01cvss epss 0.12

    http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted…

  • CVE-2012-2089Apr 17, 2012
    risk 0.01cvss epss 0.10

    Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module module in nginx 1.0.7 through 1.0.14 and 1.1.3 through 1.1.18, when the mp4 directive is used, allows remote attackers to cause a denial of service (memory overwrite) or possibly execute arbitrary code via a…

  • CVE-2012-1180Apr 17, 2012
    risk 0.01cvss epss 0.10

    Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response, in conjunction with a client request.

  • CVE-2009-3896Nov 24, 2009
    risk 0.01cvss epss 0.10

    src/http/ngx_http_parse.c in nginx (aka Engine X) 0.1.0 through 0.4.14, 0.5.x before 0.5.38, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.14 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a long URI.

  • CVE-2026-27651Mar 24, 2026
    risk 0.00cvss epss 0.01

    When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by…

  • CVE-2026-27654Mar 24, 2026
    risk 0.00cvss epss 0.22

    NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or…

  • CVE-2026-28755Mar 24, 2026
    risk 0.00cvss epss 0.00

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check…

  • CVE-2026-28753Mar 24, 2026
    risk 0.00cvss epss 0.00

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential…

  • CVE-2026-32647Mar 24, 2026
    risk 0.00cvss epss 0.01

    NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4…

  • CVE-2026-27784Mar 24, 2026
    risk 0.00cvss epss 0.01

    The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit…

  • CVE-2026-1642Feb 4, 2026
    risk 0.00cvss epss 0.00

    A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to…

  • CVE-2025-14727Dec 17, 2025
    risk 0.00cvss epss 0.00

    A vulnerability exists in NGINX Ingress Controller's nginx.org/rewrite-target annotation validation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2025-53859Aug 13, 2025
    risk 0.00cvss epss 0.00

    NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication…

  • CVE-2025-1695Mar 4, 2025
    risk 0.00cvss epss 0.01

    In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. This vulnerability allows a remote attacker to cause a degradation that can lead to a limited…

  • CVE-2025-23419Feb 5, 2025
    risk 0.00cvss epss 0.03

    When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets…