F5 Networks F5 Networks

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any F5 Networks product.

RSS Feeds for F5 Networks security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in F5 Networks products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by F5 Networks Sorted by Most Security Vulnerabilities since 2018

F5 Networks Big Ip Analytics357 vulnerabilities

F5 Networks Big Ip Edge Gateway166 vulnerabilities

F5 Networks Big Ip148 vulnerabilities

F5 Networks 57 vulnerabilities

F5 Networks Big Ip Websafe54 vulnerabilities

F5 Networks Nginx48 vulnerabilities

F5 Networks Njs39 vulnerabilities

F5 Networks Tomcat37 vulnerabilities

F5 Networks Nginx Plus30 vulnerabilities

F5 Networks Nginx Open Source29 vulnerabilities

F5 Networks Ssl Orchestrator27 vulnerabilities

F5 Networks Enterprise Manager27 vulnerabilities

F5 Networks Http Server23 vulnerabilities

F5 Networks F5os A8 vulnerabilities

F5 Networks Java8 vulnerabilities

F5 Networks Mysql7 vulnerabilities

F5 Networks F5os C7 vulnerabilities

F5 Networks Big Iq Cloud5 vulnerabilities

F5 Networks Big Iq Device5 vulnerabilities

F5 Networks Big Iq Security5 vulnerabilities

F5 Networks Big Ip Apm4 vulnerabilities

F5 Networks Big Ip Dns4 vulnerabilities

F5 Networks Nginx Agent3 vulnerabilities

F5 Networks Big Ip Next3 vulnerabilities

F5 Networks Solr2 vulnerabilities

F5 Networks Pulsar1 vulnerability

F5 Networks Ofbiz1 vulnerability

F5 Networks Nginx Unit1 vulnerability

F5 Networks Kafka1 vulnerability

F5 Networks Graalvm1 vulnerability

Recent F5 Networks Security Advisories

Advisory Title Published
K000161837 K000161837: Out-of-band Security Notification (July 15, 2026) July 15, 2026
K000162101 K000162101: NGINX Plus ngx_stream_mqtt_filter_module vulnerability CVE-2026-60065 July 15, 2026
K000162097 K000162097: NGINX map directive and regex matching vulnerability CVE-2026-42533 July 15, 2026
K000161834 K000161834: NGINX Ingress Controller vulnerability CVE-2026-52865 July 15, 2026
K000161971 K000161971: NGINX Agent vulnerability CVE-2026-60062 July 15, 2026
K000161800 K000161800: NGINX Ingress Controller vulnerability CVE-2026-55723 July 15, 2026
K000162231 K000162231: BIG-IP HTTP/2 vulnerability CVE-2026-59762 July 15, 2026
K000162100 K000162100: NGINX ngx_http_slice_module vulnerability CVE-2026-60005 July 15, 2026
K000162098 K000162098: NGINX ngx_http_ssi_module vulnerability CVE-2026-56434 July 15, 2026
K000162282 K000162282: Node.js vulnerabilities CVE-2026-48931 and CVE-2026-48934 July 15, 2026

Known Exploited F5 Networks Vulnerabilities

The following F5 Networks vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
F5 BIG-IP Unspecified Vulnerability F5 BIG-IP APM contains an unspecified vulnerability that could allow a threat actor to achieve remote code execution.
CVE-2025-53521 Exploit Probability: 2.2%
March 27, 2026
F5 BIG-IP Configuration Utility SQL Injection Vulnerability F5 BIG-IP Configuration utility contains an SQL injection vulnerability that may allow an authenticated attacker with network access through the BIG-IP management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46747.
CVE-2023-46748 Exploit Probability: 4.5%
October 31, 2023
F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46748.
CVE-2023-46747 Exploit Probability: 96.5%
October 31, 2023
F5 BIG-IP Missing Authentication Vulnerability F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services.
CVE-2022-1388 Exploit Probability: 100.0%
May 10, 2022
F5 BIG-IP Traffic Management Microkernel Buffer Overflow The Traffic Management Microkernel of BIG-IP ASM Risk Engine has a buffer overflow vulnerability, leading to a bypassing of URL-based access controls.
CVE-2021-22991 Exploit Probability: 61.1%
January 18, 2022
F5 BIG-IP Traffic Management User Interface Remote Code Execution Vulnerability In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
CVE-2020-5902 Exploit Probability: 100.0%
November 3, 2021
F5 iControl REST unauthenticated Remote Code Execution Vulnerability The iControl REST interface has an unauthenticated remote command execution vulnerability.
CVE-2021-22986 Exploit Probability: 99.9%
November 3, 2021

Of the known exploited vulnerabilities above, 5 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 216 vulnerabilities in F5 Networks with an average score of 7.0 out of ten. Last year, in 2025 F5 Networks had 382 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in F5 Networks in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.15.




Year Vulnerabilities Average Score
2026 216 6.98
2025 382 6.84
2024 346 6.46
2023 177 6.99
2022 406 7.04
2021 328 7.23
2020 263 6.62
2019 306 6.76
2018 218 7.01

It may take a day or so for new F5 Networks vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent F5 Networks Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-60005 Jul 15, 2026
NGINX ngx_http_slice_module UAF: Uninitialized Mem Access NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_slice_module module. When the slice directive and unnamed regex captures are configured or when a background cache update happens, unauthenticated attackers can send requests that may cause uninitialized memory access in the NGINX worker process, leading to limited disclosure of memory or a restart. Impact: This vulnerability may allow remote, unauthenticated attackers to have limited control to disclose memory contents or restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only. Note: The ngx_http_slice_module module is not enabled by default; it's enabled with the --with-http_slice_module configuration parameter. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Plus
Nginx Open Source
CVE-2026-56434 Jul 15, 2026
Heap OOB in NGINX ngx_http_ssi_module NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssi_module module. This vulnerability may exist when the Server-Side Includes (SSI), proxy_pass, and proxy_buffering off directives are configured. With this configuration, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to cause a use-after-free in the NGINX worker process. This issue may lead to limited modification of memory or a restart of the NGINX worker process. Impact: This vulnerability may allow remote attackers to have limited control to modify memory contents or restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Plus
Nginx Open Source
CVE-2026-42533 Jul 15, 2026
NGINX Map Regex Heap Overflow Remote DoS A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map's regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Impact: This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger a code execution. There is no control plane exposure; this is a data plane issue only.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Plus
Nginx Open Source
CVE-2026-60065 Jul 15, 2026
NGINX Plus MQTT Filter Module Heap Buffer Over-Read (Restart) When NGINX Plus is configured to use the Message Queuing Telemetry Transport (MQTT) filter module (ngx_stream_mqtt_filter_module), unauthenticated attackers can send requests with conditions beyond the attacker's control to cause a heap buffer over-read in the NGINX worker process, leading to a restart. Impact: This vulnerability may allow remote unauthenticated attackers to have limited control to restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Plus
CVE-2026-55723 Jul 15, 2026
NGINX Ingress Controller CRD Injection Allows Arbitrary Config Write When NGINX Ingress Controller is configured with Custom Resource Definitions (CRDs) or Ingress annotations, an injection vulnerability exists in the configuration generator of NGINX Ingress Controller. Multiple user-controllable fields are written into the generated NGINX configuration without sanitization. An authenticated attacker with permission to create or modify these CRDs or annotations may craft values that inject arbitrary NGINX configuration directives. Impact: An authenticated attacker granted write access to NGINX Ingress Controller CRDs or Ingress annotations through the Kubernetes API may be able to inject arbitrary NGINX configuration directives, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Ingress Controller
CVE-2026-60062 Jul 15, 2026
NGINX Agent config_dirs Path Traversal RCE via Low-Priv Priv Esc The NGINX Agent config_dirs directive allows a low-privileged attacker to gain limited read and write access to files outside of the designated secure directory. The config_dirs directive required for this issue can also be configured through NGINX Instance Manager. A successful exploit may allow an attacker to cross a security boundary. Impact: A remotely authenticated low-privileged attacker could gain limited read and write access outside of the list of directories specified in the NGINX Agent configuration. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Agent
Nginx Instance Manager
CVE-2026-52865 Jul 15, 2026
NGINX Ingress Controller DoS via Malformed Ingress Resource When NGINX Ingress Controller processes Ingress or TransportServer resources, an authenticated, remote attacker with permission to create or modify Ingress or TransportServer resources can cause the NGINX Ingress Controller process to terminate. Impact: The NGINX Ingress Controller control plane process terminates and enters a persistent crash loop while the malformed Ingress or TransportServer resource remains in the cluster. This vulnerability allows a remote, authenticated attacker with at least Ingress or TransportServer resource write access to cause a denial-of-service (DoS) on the NGINX Ingress Controller system. There is no data plane exposure; this is a control plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Ingress Controller
CVE-2026-59762 Jul 15, 2026
HTTP/2 Unauth DoS in F5 BIG-IP Virtual Server When an HTTP/2 profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization.   Impact: System performance can degrade until the TMM process is either forced to restart or is manually restarted. This vulnerability allows a remote, unauthenticated attacker to cause a degradation of service that can lead to a denial-of-service (DoS) on the BIG-IP system. There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Big Ip
CVE-2026-48934 Jun 26, 2026
Node.js TLS Host Verification Bypass in Certification Validation A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVE-2026-48619 Jun 26, 2026
Node.js HTTP/2 Client OOM via Unlimited ORIGIN Frames A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVE-2026-48936 Jun 26, 2026
Node.js Permission API flaw spawns local server via Unix socket A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**.
CVE-2026-53102 Jun 24, 2026
Linux kernel mt76 WiFi driver memory leak in skb allocation In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req() mt76_connac_mcu_alloc_sta_req() allocates an skb which is expected to be freed eventually by mt76_mcu_skb_send_msg(). However, currently if an intermediate function fails before sending, the allocated skb is leaked. Specifically, mt76_connac_mcu_sta_wed_update() and mt76_connac_mcu_sta_key_tlv() may fail, leading to an immediate memory leak in the error path. Fix this by explicitly freeing the skb in these error paths. Commit 7c0f63fe37a5 ("wifi: mt76: mt7996: fix memory leak on mt7996_mcu_sta_key_tlv error") made a similar change. Compile tested only. Issue found using a prototype static analysis tool and code review.
CVE-2026-48931 Jun 22, 2026
Node.js HTTP Agent accepts premature response CVE-2026-48931 A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVE-2026-32682 Jun 17, 2026
Authenticated Remote Attacker Can Crash NGINX GW Fabric via GRPCRoute When NGINX Gateway Fabric is configured using GRPCRoutes, an authenticated, remote attacker with permission to create or modify GRPCRoute resources can cause the NGINX Gateway Fabric control plane to terminate by sending undisclosed GRPCRoute configurations containing backendRef filters. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2026-50107 Jun 17, 2026
NGINX Gateway Fabric Config Generator Injection in CRD Log Format When NGINX Plus or NGINX Open Source is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format setting are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2026-42055 Jun 17, 2026
NGINX Heap Buffer Overflow via Large HTTP/2 Headers in Proxy Modules NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Open Source
Nginx Plus
CVE-2026-11311 Jun 17, 2026
NGINX Gateway Fabric Config Generator Injection via Unescaped CRD Fields When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2026-48142 Jun 17, 2026
NGINX ngx_http_charset_module Heap Buffer Over-Read (CVE-2026-48142) NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When content is served or proxied through a location block with both source_charset utf-8; and a charset directive (for example, charset koi8-r;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Open Source
Nginx Plus
CVE-2026-42530 Jun 17, 2026
NGINX v3 Module UAF via HTTP/3 Session Reopen NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Open Source
CVE-2026-47825 Jun 15, 2026
Spring Cloud Gateway XFF Header Forwarding Issue (3.1.13) Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway 4.1.x (fix 4.1.13). Spring Cloud Gateway 4.2.x (fix 4.2.9). Spring Cloud Gateway 4.3.x (fix 4.3.5). Spring Cloud Gateway 5.0.x (fix 5.0.2).
CVE-2026-41700 Jun 11, 2026
Spring GraphQL WebSocket Hijacking (v1.02.0.3) Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
CVE-2026-41699 Jun 11, 2026
RCE via Unsafe Deserialization in Spring for GraphQL 1.32.0 Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.
CVE-2026-41000 Jun 11, 2026
Spring WS ReplayCache Wiring Flaw (5.0.x,4.1.x,4.0.x,3.1.x) Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
CVE-2026-40996 Jun 11, 2026
Spring Web Services 3.1.0-5.0.1 Insecure RSA PKCS#1 v1.5 Key Transport Default Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material unless operators explicitly reconfigured the flag. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
CVE-2026-41732 Jun 09, 2026
Spring Pulsar JSON Header RCE: Trusted Package Prefix (2.0.5, 1.2.17, 1.1.17) JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list. Affected versions: Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.
Pulsar
CVE-2026-41727 Jun 09, 2026
Spring Kafka 2.8-4.0.5 retry_topic header validation flaw Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
CVE-2026-41726 Jun 09, 2026
Spring-Kafka 2.8.0-4.0.5 OOM via DelegatingDeserializer When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Kafka
CVE-2026-41717 Jun 09, 2026
Spring Data MongoDB 5.0.5 SpEL Injection via @Query capture-all Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
CVE-2026-41853 Jun 09, 2026
Spring Framework <=7.0.7,6.2.18,6.1.27,5.3.48 Vulnerable to Multipart Smuggling Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
CVE-2026-41850 Jun 09, 2026
Spring Framework 5.37.0 DoS via SpEL Eval (<= v7.0.7) Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
CVE-2026-41848 Jun 09, 2026
Spring Framework ReDoS in AntPathMatcher <=7.0.7 (match methods) Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String path), extractUriTemplateVariables(String pattern, String path). Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
CVE-2026-41847 Jun 09, 2026
Spring WebFlux Kotlin Router DSL Security Bypass (5.3.0-5.3.48) Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL. Affected versions: Spring Framework 5.3.0 through 5.3.48.
CVE-2026-41845 Jun 09, 2026
Spring Framework XSS via JavaScriptUtils.javaScriptEscape() (5.37.0.7) Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
CVE-2026-41842 Jun 09, 2026
Spring MVC/WebFlux Static Resource DoS 5.37.0.7 Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
CVE-2026-41841 Jun 09, 2026
Info Disclosure via Static Resource Res in Spring Framework (v5.3-7.0) Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
CVE-2026-41840 Jun 09, 2026
Spring WebFlux DoS via Multipart 5.37.0.7 Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, 5.3.0 through 5.3.48.
CVE-2026-41838 Jun 09, 2026
Spring Framework WebSocket Session ID Predictability 5.3.x-7.0.x IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
CVE-2026-41710 Jun 09, 2026
Spring Retry 1.3.0-1.3.4/2.0.0-2.0.12: Stateful Retry Cache Capacity Exhaustion DoS An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to fail. Affected versions: Spring Retry 2.0.0 through 2.0.12; 1.3.0 through 1.3.4.
CVE-2026-49975 Jun 08, 2026
Apache HTTP Server mod_http DoS via Excessive Memory Allocation (2.4.17-2.4.67) Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
Http Server
CVE-2026-3238 Jun 08, 2026
Samba WINS NULL Deref via UDP (CVE-2026-3238) A flaw was found in Sambas WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets.
CVE-2026-9256 May 22, 2026
Heap Overflow in ngx_http_rewrite_module (NGINX) via PCRE Capture Overlap NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Plus
Nginx Open Source
CVE-2026-5947 May 20, 2026
BIND9 9.20.0-9.21.21/use-after-free via SIG(0) race during recursiveclient limit Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.
CVE-2026-42960 May 20, 2026
Unbound<=1.25.0: DNS Cache Poison via Promiscuous Authority RRSets NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.
CVE-2026-8711 May 19, 2026
NGINX JS js_fetch_proxy Heap Overflow & Code Exec via ClientControlled Vars NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2026-42926 May 13, 2026
NGINX HTTP/2 Proxy Body Injection Vulnerability When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Open Source
CVE-2026-42946 May 13, 2026
NGINX SCGI/UWSGI Modules Excessive Memory Allocation via MITM A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Plus
Nginx Open Source
CVE-2026-40460 May 13, 2026
NGINX HTTP/3 QUIC IP Spoofing for Auth / Rate Limiting Bypass When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Plus
Nginx Open Source
CVE-2026-40701 May 13, 2026
NGINX Heap UAF via ssl_verify_client/ssl_ocsp in ngx_http_ssl_module NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Plus
Nginx Open Source
CVE-2026-42934 May 13, 2026
NGINX ngx_http_charset_module Heap Buffer Over-read in Worker Process NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Plus
Nginx Open Source
CVE-2026-42945 May 13, 2026
Heap Buffer Overflow in NGINX ngx_http_rewrite_module via PCRE Capture NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Nginx Plus
Nginx Open Source
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.