Nginx is without doubt one of the hottest net servers, powering nearly one third of all web sites on the web, and is built-in into many business merchandise as nicely. The software program can also be generally used as a reverse proxy, load balancer and cache for different net functions and servers.
The CVE-2026-42945 vulnerability is situated in ngx_http_rewrite_module, a part that handles URL rewrites, and impacts Nginx variations from 0.6.27 to 1.30.0. The difficulty has been given a 9.2 CVSS severity rating and was patched in variations 1.31.0 and 1.30.1.
The business product, Nginx Plus, owned and developed by community and utility security agency F5, can also be susceptible, and acquired patches in variations R36 P4, R32 P6 and 37.0.0. Different F5 merchandise primarily based on Nginx open supply and Nginx Plus are impacted, however haven’t but acquired updates, together with Nginx Occasion Supervisor, F5 WAF for Nginx, Nginx App Shield WAF, F5 DoS for Nginx, Nginx App Shield DoS, Nginx Gateway Material, and Nginx Ingress Controller.
“This vulnerability exists when the rewrite directive is adopted by a rewrite, if, or set directive and an unnamed Perl-Appropriate Common Expression (PCRE) seize (for instance, $1, $2) with a alternative string that features a query mark (?),” F5 stated in its advisory. In keeping with the corporate, exploitation will lead to a denial of service situation within the type of a server crash and, on programs with Handle House Structure Randomization (ASLR ) disabled, arbitrary code execution.
