F5 Networks
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any F5 Networks product.
RSS Feeds for F5 Networks security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in F5 Networks products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by F5 Networks Sorted by Most Security Vulnerabilities since 2018
Recent F5 Networks Security Advisories
| Advisory | Title | Published |
|---|---|---|
| K000161837 | K000161837: Out-of-band Security Notification (July 15, 2026) | July 15, 2026 |
| K000162101 | K000162101: NGINX Plus ngx_stream_mqtt_filter_module vulnerability CVE-2026-60065 | July 15, 2026 |
| K000162097 | K000162097: NGINX map directive and regex matching vulnerability CVE-2026-42533 | July 15, 2026 |
| K000161834 | K000161834: NGINX Ingress Controller vulnerability CVE-2026-52865 | July 15, 2026 |
| K000161971 | K000161971: NGINX Agent vulnerability CVE-2026-60062 | July 15, 2026 |
| K000161800 | K000161800: NGINX Ingress Controller vulnerability CVE-2026-55723 | July 15, 2026 |
| K000162231 | K000162231: BIG-IP HTTP/2 vulnerability CVE-2026-59762 | July 15, 2026 |
| K000162100 | K000162100: NGINX ngx_http_slice_module vulnerability CVE-2026-60005 | July 15, 2026 |
| K000162098 | K000162098: NGINX ngx_http_ssi_module vulnerability CVE-2026-56434 | July 15, 2026 |
| K000162282 | K000162282: Node.js vulnerabilities CVE-2026-48931 and CVE-2026-48934 | July 15, 2026 |
Known Exploited F5 Networks Vulnerabilities
The following F5 Networks vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| F5 BIG-IP Unspecified Vulnerability |
F5 BIG-IP APM contains an unspecified vulnerability that could allow a threat actor to achieve remote code execution. CVE-2025-53521 Exploit Probability: 2.2% |
March 27, 2026 |
| F5 BIG-IP Configuration Utility SQL Injection Vulnerability |
F5 BIG-IP Configuration utility contains an SQL injection vulnerability that may allow an authenticated attacker with network access through the BIG-IP management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46747. CVE-2023-46748 Exploit Probability: 4.5% |
October 31, 2023 |
| F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability |
F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46748. CVE-2023-46747 Exploit Probability: 96.5% |
October 31, 2023 |
| F5 BIG-IP Missing Authentication Vulnerability |
F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services. CVE-2022-1388 Exploit Probability: 100.0% |
May 10, 2022 |
| F5 BIG-IP Traffic Management Microkernel Buffer Overflow |
The Traffic Management Microkernel of BIG-IP ASM Risk Engine has a buffer overflow vulnerability, leading to a bypassing of URL-based access controls. CVE-2021-22991 Exploit Probability: 61.1% |
January 18, 2022 |
| F5 BIG-IP Traffic Management User Interface Remote Code Execution Vulnerability |
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. CVE-2020-5902 Exploit Probability: 100.0% |
November 3, 2021 |
| F5 iControl REST unauthenticated Remote Code Execution Vulnerability |
The iControl REST interface has an unauthenticated remote command execution vulnerability. CVE-2021-22986 Exploit Probability: 99.9% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 5 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.
By the Year
In 2026 there have been 216 vulnerabilities in F5 Networks with an average score of 7.0 out of ten. Last year, in 2025 F5 Networks had 382 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in F5 Networks in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.15.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 216 | 6.98 |
| 2025 | 382 | 6.84 |
| 2024 | 346 | 6.46 |
| 2023 | 177 | 6.99 |
| 2022 | 406 | 7.04 |
| 2021 | 328 | 7.23 |
| 2020 | 263 | 6.62 |
| 2019 | 306 | 6.76 |
| 2018 | 218 | 7.01 |
It may take a day or so for new F5 Networks vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent F5 Networks Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-60005 | Jul 15, 2026 |
NGINX ngx_http_slice_module UAF: Uninitialized Mem AccessNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_slice_module module. When the slice directive and unnamed regex captures are configured or when a background cache update happens, unauthenticated attackers can send requests that may cause uninitialized memory access in the NGINX worker process, leading to limited disclosure of memory or a restart. Impact: This vulnerability may allow remote, unauthenticated attackers to have limited control to disclose memory contents or restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only. Note: The ngx_http_slice_module module is not enabled by default; it's enabled with the --with-http_slice_module configuration parameter. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-56434 | Jul 15, 2026 |
Heap OOB in NGINX ngx_http_ssi_moduleNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssi_module module. This vulnerability may exist when the Server-Side Includes (SSI), proxy_pass, and proxy_buffering off directives are configured. With this configuration, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to cause a use-after-free in the NGINX worker process. This issue may lead to limited modification of memory or a restart of the NGINX worker process. Impact: This vulnerability may allow remote attackers to have limited control to modify memory contents or restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-42533 | Jul 15, 2026 |
NGINX Map Regex Heap Overflow Remote DoSA vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map's regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Impact: This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger a code execution. There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-60065 | Jul 15, 2026 |
NGINX Plus MQTT Filter Module Heap Buffer Over-Read (Restart)When NGINX Plus is configured to use the Message Queuing Telemetry Transport (MQTT) filter module (ngx_stream_mqtt_filter_module), unauthenticated attackers can send requests with conditions beyond the attacker's control to cause a heap buffer over-read in the NGINX worker process, leading to a restart. Impact: This vulnerability may allow remote unauthenticated attackers to have limited control to restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-55723 | Jul 15, 2026 |
NGINX Ingress Controller CRD Injection Allows Arbitrary Config WriteWhen NGINX Ingress Controller is configured with Custom Resource Definitions (CRDs) or Ingress annotations, an injection vulnerability exists in the configuration generator of NGINX Ingress Controller. Multiple user-controllable fields are written into the generated NGINX configuration without sanitization. An authenticated attacker with permission to create or modify these CRDs or annotations may craft values that inject arbitrary NGINX configuration directives. Impact: An authenticated attacker granted write access to NGINX Ingress Controller CRDs or Ingress annotations through the Kubernetes API may be able to inject arbitrary NGINX configuration directives, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-60062 | Jul 15, 2026 |
NGINX Agent config_dirs Path Traversal RCE via Low-Priv Priv EscThe NGINX Agent config_dirs directive allows a low-privileged attacker to gain limited read and write access to files outside of the designated secure directory. The config_dirs directive required for this issue can also be configured through NGINX Instance Manager. A successful exploit may allow an attacker to cross a security boundary. Impact: A remotely authenticated low-privileged attacker could gain limited read and write access outside of the list of directories specified in the NGINX Agent configuration. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-52865 | Jul 15, 2026 |
NGINX Ingress Controller DoS via Malformed Ingress ResourceWhen NGINX Ingress Controller processes Ingress or TransportServer resources, an authenticated, remote attacker with permission to create or modify Ingress or TransportServer resources can cause the NGINX Ingress Controller process to terminate. Impact: The NGINX Ingress Controller control plane process terminates and enters a persistent crash loop while the malformed Ingress or TransportServer resource remains in the cluster. This vulnerability allows a remote, authenticated attacker with at least Ingress or TransportServer resource write access to cause a denial-of-service (DoS) on the NGINX Ingress Controller system. There is no data plane exposure; this is a control plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-59762 | Jul 15, 2026 |
HTTP/2 Unauth DoS in F5 BIG-IP Virtual ServerWhen an HTTP/2 profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Impact: System performance can degrade until the TMM process is either forced to restart or is manually restarted. This vulnerability allows a remote, unauthenticated attacker to cause a degradation of service that can lead to a denial-of-service (DoS) on the BIG-IP system. There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-48934 | Jun 26, 2026 |
Node.js TLS Host Verification Bypass in Certification ValidationA flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
|
| CVE-2026-48619 | Jun 26, 2026 |
Node.js HTTP/2 Client OOM via Unlimited ORIGIN FramesA flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
|
| CVE-2026-48936 | Jun 26, 2026 |
Node.js Permission API flaw spawns local server via Unix socketA flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**. |
|
| CVE-2026-53102 | Jun 24, 2026 |
Linux kernel mt76 WiFi driver memory leak in skb allocationIn the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req() mt76_connac_mcu_alloc_sta_req() allocates an skb which is expected to be freed eventually by mt76_mcu_skb_send_msg(). However, currently if an intermediate function fails before sending, the allocated skb is leaked. Specifically, mt76_connac_mcu_sta_wed_update() and mt76_connac_mcu_sta_key_tlv() may fail, leading to an immediate memory leak in the error path. Fix this by explicitly freeing the skb in these error paths. Commit 7c0f63fe37a5 ("wifi: mt76: mt7996: fix memory leak on mt7996_mcu_sta_key_tlv error") made a similar change. Compile tested only. Issue found using a prototype static analysis tool and code review. |
|
| CVE-2026-48931 | Jun 22, 2026 |
Node.js HTTP Agent accepts premature response CVE-2026-48931A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
|
| CVE-2026-32682 | Jun 17, 2026 |
Authenticated Remote Attacker Can Crash NGINX GW Fabric via GRPCRouteWhen NGINX Gateway Fabric is configured using GRPCRoutes, an authenticated, remote attacker with permission to create or modify GRPCRoute resources can cause the NGINX Gateway Fabric control plane to terminate by sending undisclosed GRPCRoute configurations containing backendRef filters. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-50107 | Jun 17, 2026 |
NGINX Gateway Fabric Config Generator Injection in CRD Log FormatWhen NGINX Plus or NGINX Open Source is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format setting are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-42055 | Jun 17, 2026 |
NGINX Heap Buffer Overflow via Large HTTP/2 Headers in Proxy ModulesNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-11311 | Jun 17, 2026 |
NGINX Gateway Fabric Config Generator Injection via Unescaped CRD FieldsWhen NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-48142 | Jun 17, 2026 |
NGINX ngx_http_charset_module Heap Buffer Over-Read (CVE-2026-48142)NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When content is served or proxied through a location block with both source_charset utf-8; and a charset directive (for example, charset koi8-r;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-42530 | Jun 17, 2026 |
NGINX v3 Module UAF via HTTP/3 Session ReopenNGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-47825 | Jun 15, 2026 |
Spring Cloud Gateway XFF Header Forwarding Issue (3.1.13)Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway 4.1.x (fix 4.1.13). Spring Cloud Gateway 4.2.x (fix 4.2.9). Spring Cloud Gateway 4.3.x (fix 4.3.5). Spring Cloud Gateway 5.0.x (fix 5.0.2). |
|
| CVE-2026-41700 | Jun 11, 2026 |
Spring GraphQL WebSocket Hijacking (v1.02.0.3)Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6. |
|
| CVE-2026-41699 | Jun 11, 2026 |
RCE via Unsafe Deserialization in Spring for GraphQL 1.32.0Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8. |
|
| CVE-2026-41000 | Jun 11, 2026 |
Spring WS ReplayCache Wiring Flaw (5.0.x,4.1.x,4.0.x,3.1.x)Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. |
|
| CVE-2026-40996 | Jun 11, 2026 |
Spring Web Services 3.1.0-5.0.1 Insecure RSA PKCS#1 v1.5 Key Transport DefaultWss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material unless operators explicitly reconfigured the flag. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. |
|
| CVE-2026-41732 | Jun 09, 2026 |
Spring Pulsar JSON Header RCE: Trusted Package Prefix (2.0.5, 1.2.17, 1.1.17)JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list. Affected versions: Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17. |
|
| CVE-2026-41727 | Jun 09, 2026 |
Spring Kafka 2.8-4.0.5 retry_topic header validation flawSpring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11. |
|
| CVE-2026-41726 | Jun 09, 2026 |
Spring-Kafka 2.8.0-4.0.5 OOM via DelegatingDeserializerWhen an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11. |
|
| CVE-2026-41717 | Jun 09, 2026 |
Spring Data MongoDB 5.0.5 SpEL Injection via @Query capture-allSpring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19. |
|
| CVE-2026-41853 | Jun 09, 2026 |
Spring Framework <=7.0.7,6.2.18,6.1.27,5.3.48 Vulnerable to Multipart SmugglingSpring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. |
|
| CVE-2026-41850 | Jun 09, 2026 |
Spring Framework 5.37.0 DoS via SpEL Eval (<= v7.0.7)Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. |
|
| CVE-2026-41848 | Jun 09, 2026 |
Spring Framework ReDoS in AntPathMatcher <=7.0.7 (match methods)Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String path), extractUriTemplateVariables(String pattern, String path). Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. |
|
| CVE-2026-41847 | Jun 09, 2026 |
Spring WebFlux Kotlin Router DSL Security Bypass (5.3.0-5.3.48)Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL. Affected versions: Spring Framework 5.3.0 through 5.3.48. |
|
| CVE-2026-41845 | Jun 09, 2026 |
Spring Framework XSS via JavaScriptUtils.javaScriptEscape() (5.37.0.7)Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. |
|
| CVE-2026-41842 | Jun 09, 2026 |
Spring MVC/WebFlux Static Resource DoS 5.37.0.7Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. |
|
| CVE-2026-41841 | Jun 09, 2026 |
Info Disclosure via Static Resource Res in Spring Framework (v5.3-7.0)Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. |
|
| CVE-2026-41840 | Jun 09, 2026 |
Spring WebFlux DoS via Multipart 5.37.0.7Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, 5.3.0 through 5.3.48. |
|
| CVE-2026-41838 | Jun 09, 2026 |
Spring Framework WebSocket Session ID Predictability 5.3.x-7.0.xIDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. |
|
| CVE-2026-41710 | Jun 09, 2026 |
Spring Retry 1.3.0-1.3.4/2.0.0-2.0.12: Stateful Retry Cache Capacity Exhaustion DoSAn attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to fail. Affected versions: Spring Retry 2.0.0 through 2.0.12; 1.3.0 through 1.3.4. |
|
| CVE-2026-49975 | Jun 08, 2026 |
Apache HTTP Server mod_http DoS via Excessive Memory Allocation (2.4.17-2.4.67)Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67. |
|
| CVE-2026-3238 | Jun 08, 2026 |
Samba WINS NULL Deref via UDP (CVE-2026-3238)A flaw was found in Sambas WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets. |
|
| CVE-2026-9256 | May 22, 2026 |
Heap Overflow in ngx_http_rewrite_module (NGINX) via PCRE Capture OverlapNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-5947 | May 20, 2026 |
BIND9 9.20.0-9.21.21/use-after-free via SIG(0) race during recursiveclient limitUndefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected. |
|
| CVE-2026-42960 | May 20, 2026 |
Unbound<=1.25.0: DNS Cache Poison via Promiscuous Authority RRSetsNLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411. |
|
| CVE-2026-8711 | May 19, 2026 |
NGINX JS js_fetch_proxy Heap Overflow & Code Exec via ClientControlled VarsNGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-42926 | May 13, 2026 |
NGINX HTTP/2 Proxy Body Injection VulnerabilityWhen NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-42946 | May 13, 2026 |
NGINX SCGI/UWSGI Modules Excessive Memory Allocation via MITMA vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-40460 | May 13, 2026 |
NGINX HTTP/3 QUIC IP Spoofing for Auth / Rate Limiting BypassWhen NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-40701 | May 13, 2026 |
NGINX Heap UAF via ssl_verify_client/ssl_ocsp in ngx_http_ssl_moduleNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-42934 | May 13, 2026 |
NGINX ngx_http_charset_module Heap Buffer Over-read in Worker ProcessNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-42945 | May 13, 2026 |
Heap Buffer Overflow in NGINX ngx_http_rewrite_module via PCRE CaptureNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|