—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in NGINX

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

NGINX UI versions 2.3.5 and prior.

NGINX JavaScript (njs) versions 0.9.4 to 0.9.8.

Overview

Multiple vulnerabilities have been reported in NGINX products which could allow an unauthenticated attacker to bypass the security restrictions, execute arbitrary code and cause denial of service condition in the targeted system.

Target Audience:

Organizations and individuals running affected versions of NGINX JavaScript (njs) and NGINX UI products.

Risk Assessment:

High risk of complete system compromise.

Impact Assessment:

Potential for service disruption and unauthorized access.

Description

NGINX is a high-performance web server, reverse proxy, load balancer, and HTTP cache designed to handle massive, simultaneous connections with low resource usage.

Multiple vulnerabilities have been identified in NGINX components due to missing authentication and heap-based buffer overflow issues. An unauthenticated actor could exploit these vulnerabilities by sending specially crafted HTTP requests.

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to bypass the security restrictions, execute arbitrary code and cause denial of service condition in the targeted system.

Solution

There are no available patches for CVE-2026-33032 at the time of publication.

Apply appropriate security updates for CVE-2026-8711 as mentioned in the NGINX Security Updates:

https://my.f5.com/manage/s/article/K000161327

https://my.f5.com/manage/s/article/K000161307

Vendor Information

NGINX

https://github.com/0xJacky/nginx-ui/security

https://nginx.org/en/docs/njs/security.html

References

 

https://my.f5.com/manage/s/article/K000161327

https://my.f5.com/manage/s/article/K000161307

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf

https://nginx.org/en/docs/njs/security.html

CVE Name

CVE-2026-8711

CVE-2026-33032

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoZZucACgkQ3jCgcSdc

ys+VGxAAjzRSPFfOndXMLMpOYRGLRPW/mgTCXCQqbrGfcp+9tkYjdLCFP6UKqjCt

0dfCsjrchngt/nqvTodHme4OOPk85UWE/f3POe7ksjjwWgN0bd7H733kP4dBTsn1

lBCLgAt7rsOUay15lxbGM1saJnVgJ8ecZQDJQMHzDARVOtKN3U2ZlsIXVUPHPYF/

KDRrPCTiHAcoSp2gurkzwqobtySSD0Y7189yqO2p6qTwlOfo+RmibmRvhOzOVARy

UwDFQHdAjFhnFgpfiV2SP9/tw5OpQnxAgpKJclXhsrNMylHFAwACgaUBhCWC51zK

leWPhY2b4ioUMkJfmGNbuGdX9ZPgnAkh/roQGQ1OF/IfouhplNUWUEww+5fmf4eC

WTSPCVpThgTDfoCX4brQ8MF4kQIDJOVYUw4XT57I2vywlIBvANu/2BCDFVuu4Ldn

hqECJuA4K2cabSdOH/bF+z4+jSnIayJz0SM7EMwholzabxEDL11A5iuiLmqrQghY

B7jlEIL3p/cp5ndcSV23PXqLjtRtVYs9t56COzzYkebHSPtaT2nk5JVqdEXt6czk

Un/ACL2wrLkEEkSyFe46gO84Q1MKenJn3KgkqjKg/0dImDh6OF8HRJ+hzyIdmWVS

yUBOVY11ixrU/91rTkmPNcesddCtvAbGb0xpBL3go/cdml5fA7o=

=oW85

—–END PGP SIGNATURE—–