F5 Networks

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any F5 Networks product.

RSS Feeds for F5 Networks security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in F5 Networks products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by F5 Networks Sorted by Most Security Vulnerabilities since 2018

F5 Networks Big Ip Access Policy Manager433 vulnerabilities

F5 Networks Big Ip Application Security Manager399 vulnerabilities

F5 Networks Big Ip Advanced Firewall Manager382 vulnerabilities

F5 Networks Big Ip Local Traffic Manager371 vulnerabilities

F5 Networks Big Ip Policy Enforcement Manager365 vulnerabilities

F5 Networks Big Ip Link Controller360 vulnerabilities

F5 Networks Big Ip Application Acceleration Manager359 vulnerabilities

F5 Networks Big Ip Analytics357 vulnerabilities

F5 Networks Big Ip Domain Name System346 vulnerabilities

F5 Networks Big Ip Global Traffic Manager346 vulnerabilities

F5 Networks Big Ip Fraud Protection Service318 vulnerabilities

F5 Networks Big Ip Webaccelerator173 vulnerabilities

F5 Networks Big Ip Edge Gateway166 vulnerabilities

F5 Networks Big Ip147 vulnerabilities

F5 Networks Big Ip Advanced Web Application Firewall105 vulnerabilities

F5 Networks Big Ip Ddos Hybrid Defender81 vulnerabilities

F5 Networks Big Iq Centralized Management68 vulnerabilities

F5 Networks Big Ip Ssl Orchestrator63 vulnerabilities

F5 Networks Big Ip Websafe54 vulnerabilities

F5 Networks 53 vulnerabilities

F5 Networks Nginx48 vulnerabilities

F5 Networks Njs39 vulnerabilities

F5 Networks Traffix Signaling Delivery Controller29 vulnerabilities

F5 Networks Big Ip Carrier Grade Nat28 vulnerabilities

F5 Networks Big Ip Application Visibility Reporting28 vulnerabilities

F5 Networks Ssl Orchestrator27 vulnerabilities

F5 Networks Enterprise Manager27 vulnerabilities

F5 Networks Tomcat26 vulnerabilities

F5 Networks Nginx Plus23 vulnerabilities

F5 Networks Nginx Open Source22 vulnerabilities

F5 Networks Big Ip Protocol Security Module21 vulnerabilities

F5 Networks Big Ip Access Policy Manager Client15 vulnerabilities

F5 Networks Http Server14 vulnerabilities

F5 Networks Big Ip Wan Optimization Manager10 vulnerabilities

F5 Networks Nginx Ingress Controller8 vulnerabilities

F5 Networks F5os A8 vulnerabilities

F5 Networks Java8 vulnerabilities

F5 Networks Big Ip Next Central Manager8 vulnerabilities

F5 Networks Big Ip Next Service Proxy Kubernetes8 vulnerabilities

F5 Networks F5os C7 vulnerabilities

F5 Networks Big Ip Container Ingress Services7 vulnerabilities

F5 Networks Mysql7 vulnerabilities

F5 Networks Nginx Instance Manager6 vulnerabilities

F5 Networks Big Ip Automation Toolchain6 vulnerabilities

F5 Networks Big Ip Next Cloud Native Network Functions5 vulnerabilities

F5 Networks Big Iq Cloud5 vulnerabilities

F5 Networks Big Iq Device5 vulnerabilities

F5 Networks Big Iq Security5 vulnerabilities

F5 Networks Big Ip Dns4 vulnerabilities

F5 Networks Big Ip Apm4 vulnerabilities

F5 Networks Nginx Api Connectivity Manager3 vulnerabilities

F5 Networks Big Ip Next3 vulnerabilities

F5 Networks Nginx Agent2 vulnerabilities

F5 Networks Solr2 vulnerabilities

F5 Networks Ofbiz1 vulnerability

F5 Networks Nginx Unit1 vulnerability

F5 Networks Nginx Openid Connect1 vulnerability

F5 Networks Graalvm1 vulnerability

Recent F5 Networks Security Advisories

Advisory	Title	Published
K000161278	K000161278: Spring Cloud vulnerability CVE-2026-22739	May 14, 2026
K000161273	K000161273: MySQL vulnerabilities CVE-2026-34317, CVE-2026-34318 and CVE-2026-34319	May 14, 2026
K000161272	K000161272: Spring Security vulnerability CVE-2026-22753	May 14, 2026
K000160932	K000160932: Quarterly Security Notification (May 2026)	May 14, 2026
K000161266	K000161266: Node.js vulnerability CVE-2025-23166	May 14, 2026
K000160979	K000160979: BIG-IP iControl SOAP vulnerability CVE-2026-40631	May 13, 2026
K000160971	K000160971: BIG-IP and BIG-IQ privilege escalation vulnerability CVE-2026-42406	May 13, 2026
K000160981	K000160981: iControl REST and tmsh vulnerability CVE-2026-40698	May 13, 2026
K000160972	K000160972: BIG-IP and BIG-IQ privilege escalation vulnerability CVE-2026-32643	May 13, 2026
K000160975	K000160975: BIG-IP privilege escalation vulnerability CVE-2026-41953	May 13, 2026

Known Exploited F5 Networks Vulnerabilities

The following F5 Networks vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title	Description	Added
F5 BIG-IP Unspecified Vulnerability	F5 BIG-IP APM contains an unspecified vulnerability that could allow a threat actor to achieve remote code execution. CVE-2025-53521 Exploit Probability: 7.5%	March 27, 2026
F5 BIG-IP Configuration Utility SQL Injection Vulnerability	F5 BIG-IP Configuration utility contains an SQL injection vulnerability that may allow an authenticated attacker with network access through the BIG-IP management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46747. CVE-2023-46748 Exploit Probability: 4.3%	October 31, 2023
F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability	F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46748. CVE-2023-46747 Exploit Probability: 94.4%	October 31, 2023
F5 BIG-IP Missing Authentication Vulnerability	F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services. CVE-2022-1388 Exploit Probability: 94.5%	May 10, 2022
F5 BIG-IP Traffic Management Microkernel Buffer Overflow	The Traffic Management Microkernel of BIG-IP ASM Risk Engine has a buffer overflow vulnerability, leading to a bypassing of URL-based access controls. CVE-2021-22991 Exploit Probability: 73.1%	January 18, 2022
F5 BIG-IP Traffic Management User Interface Remote Code Execution Vulnerability	In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. CVE-2020-5902 Exploit Probability: 94.4%	November 3, 2021
F5 iControl REST unauthenticated Remote Code Execution Vulnerability	The iControl REST interface has an unauthenticated remote command execution vulnerability. CVE-2021-22986 Exploit Probability: 94.5%	November 3, 2021

Of the known exploited vulnerabilities above, 4 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. The vulnerability CVE-2021-22991: F5 BIG-IP Traffic Management Microkernel Buffer Overflow is in the top 5% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 122 vulnerabilities in F5 Networks with an average score of 6.9 out of ten. Last year, in 2025 F5 Networks had 356 security vulnerabilities published. Right now, F5 Networks is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.01.

Year	Vulnerabilities	Average Score
2026	122	6.90
2025	356	6.89
2024	345	6.46
2023	177	7.00
2022	405	7.04
2021	327	7.23
2020	263	6.63
2019	303	6.75
2018	216	7.03

It may take a day or so for new F5 Networks vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent F5 Networks Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-42926	May 13, 2026	NGINX HTTP/2 Proxy Body Injection Vulnerability When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Open Source
CVE-2026-42946	May 13, 2026	NGINX SCGI/UWSGI Modules Excessive Memory Allocation via MITM A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Plus Nginx Open Source
CVE-2026-40460	May 13, 2026	NGINX HTTP/3 QUIC IP Spoofing for Auth / Rate Limiting Bypass When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Plus Nginx Open Source
CVE-2026-42945	May 13, 2026	Heap Buffer Overflow in NGINX ngx_http_rewrite_module via PCRE Capture NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Plus Nginx Open Source
CVE-2026-42934	May 13, 2026	NGINX ngx_http_charset_module Heap Buffer Over-read in Worker Process NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Plus Nginx Open Source
CVE-2026-40701	May 13, 2026	NGINX Heap UAF via ssl_verify_client/ssl_ocsp in ngx_http_ssl_module NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Plus Nginx Open Source
CVE-2026-24464	May 13, 2026	Dir Traversal in F5 iControl REST Allows File Deletion When running in Appliance mode, a directory traversal vulnerability exists in an undisclosed iControl REST endpoint that may allow an authenticated attacker with administrator role privileges to cross a security boundary and delete files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40423	May 13, 2026	F5 BIG-IP TMM Crash via Undisclosed SIP Traffic (CVE-2026-40423) When a SIP profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42930	May 13, 2026	CVE-2026-42930: BIG-IP Admin role bypasses Appliance Mode When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode restrictions on a BIG-IP system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-41959	May 13, 2026	F5 BIG-IP BIG-IQ TMOS Shell Permissions Leak Network Status Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view the network status of destination systems. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-39458	May 13, 2026	F5 BIGIP TMM Crash via DNS Cache on Virtual Server When a BIG-IP DNS profile enabled with DNS cache is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42058	May 13, 2026	Authenticated iControl REST Leak in F5 BIG-IP Local Users An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account names. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-32643	May 13, 2026	Auth Bypass in F5 BIGIP allows Config Mod for Arbitrary Code Exec A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42406	May 13, 2026	F5 BIG-IP / BIG-IQ Authenticated Cmd Injection via Cert Mngr Role A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42937	May 13, 2026	F5 BIG-IP tmsh arp/ndp PrivEsc Exposing Adjacent Net Info Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view adjacent network information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-39455	May 13, 2026	F5 BIG-IP LDAP Auth Causes httpd FD Exhaustion When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LDAP) authentication, undisclosed traffic can cause the httpd process to exhaust the available file descriptors. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-41217	May 13, 2026	BIG-IP TMOS TMSH Command RCE with Escalated Privileges A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges. In Appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-34176	May 13, 2026	Authenticated Remote Cmd Injection in F5 iControl REST When running in Appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-32673	May 13, 2026	BIG-IP Scripted Monitors Exec Arbitrary Cmd & Cross Security Boundary A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher privileges. In appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-41225	May 13, 2026	Arbitrary Cmd Exec in F5 BIG-IP iControl REST A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-39459	May 13, 2026	Arbitrary Cmd Exec via Privileged Role in F5 BIG-IP iControl REST/TMOS Shell A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42063	May 13, 2026	Auth Res Admin Can Download Sensitive Files via iControl SOAP A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-41953	May 13, 2026	Big-IP Resource Admin Privilege Escalation via Config Mod A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can modify configuration objects resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40698	May 13, 2026	PrivEsc via SNMP Config Creation on F5 BIG-IP/BIG-IQ A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can create SNMP configuration objects through iControl REST or the TMOS shell (tmsh) resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40631	May 13, 2026	Privilege Escalation via iControl SOAP in F5 BIG-IP An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40060	May 13, 2026	F5 BIGIP WAF Crash: bd Process Terminates via Undisclosed Requests When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42924	May 13, 2026	Priv Escalation via iControl SOAP SNMP Config Create in F5 BIG-IP An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-41227	May 13, 2026	F5 BIG-IP HTTP/2 L7 DoS Protection causes TMM memory exhaustion On an HTTP/2 virtual server with Layer 7 DoS Protection configured, undisclosed traffic can result in an increase in memory consumption causing the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40061	May 13, 2026	Auth PLE in F5 BIG-IP DNS via iControl REST/TM Shell When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher privileges. In Appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42409	May 13, 2026	DoS via HTTP::redirect/HTTP::respond iRule on F5 BIG-IP TMM When an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40618	May 13, 2026	SSL Profile Misconfig Causes TMM Crash on F5 BIG-IP VE/hardware When an SSL profile is configured on a virtual server on BIG-IP Virtual Edition (VE) without Intel QuickAssist Technology (QAT) or on BIG-IP hardware platforms with the database variable crypto.hwacceleration set to disabled, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-41956	May 13, 2026	TMM Crash on F5 BIG-IP UDP Virtual Server via Undisclosed Requests When a classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-35062	May 13, 2026	BIG-IP iControl SOAP Auth User Can Get Other Accounts (CVE-2026-35062) An authenticated iControl SOAP user may be able to obtain information of other accounts. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40629	May 13, 2026	F5 BIGIP SSL Profile Bug Undisclosed Traffic Blocks New Connections When SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42920	May 13, 2026	F5 BIG-IP TMM Crash via Dynamic RecFmt on UDP SSL When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42781	May 13, 2026	ePVA Resource Exhaustion via Local Ethernet Traffic (F5 BIG-IP) When embedded Packet Velocity Acceleration (ePVA) acceleration is configured, undisclosed local ethernet traffic can cause an increase in ePVA and Traffic Management Microkernel (TMM) resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42919	May 13, 2026	BIG-IP Priv Escalation via Authenticated Admin (CVE-2026-42919) A vulnerability exists in BIG-IP systems that may allow an authenticated attacker with administrative access to escalate their privileges. A successful exploit may allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-41218	May 13, 2026	F5 BIG-IP TMM Crash via PEM iRules exploitation When BIG-IP PEM iRules are configured on a virtual server (iRules using commands starting with CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and the urlcatquery command), undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-20916	May 13, 2026	Authenticated iControl REST File Write on BIGIQ An authenticated iControl REST user with low privileges can create or modify arbitrary files through an undisclosed iControl REST endpoint on the BIG-IQ system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2026-42408	May 13, 2026	Privileged Auth Info Disclosure via Hidden TMOS Shell Cmd in BIGIP DNS When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed TMOS Shell (tmsh) command that may allow a highly privileged authenticated attacker to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-41957	May 13, 2026	Auth RCE in F5 BIG-IP/BIG-IQ Configuration Utility An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-34019	May 13, 2026	BFD Vulnerability in F5 BIG-IP TMM Leads to Routing Failover When Bidirectional Forwarding Detection (BFD) is configured in Static and Dynamic routing protocols, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to stop processing BFD packets and cause the configured routing protocol to fail over. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40699	May 13, 2026	Auth Bypass in F5 BIG-IP Config UI A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40067	May 13, 2026	apmd Crash via Undisclosed Traffic in BIG-IP APM Access Policy When a BIG-IP APM access policy is configured on a virtual server, undisclosed traffic can cause the apmd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42780	May 13, 2026	F5 BIG-IP SSL Orchestrator Directory Traversal CVE-2026-42780 A directory traversal vulnerability exists in BIG-IP SSL Orchestrator that allows an authenticated attacker with high privilege to overwrite, delete or corrupt arbitrary local files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip Ssl Orchestrator
CVE-2026-41219	May 13, 2026	F5 BIG-IP QKView Improper Sanitization Leak An improper sanitization vulnerability exists in the BIG-IP QKView utility that allows a low-privileged attacker to read sensitive information from a QKView file. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated	Big Ip
CVE-2026-28758	May 13, 2026	F5 BIG-IP DNS gtm_add Returns SSH-Password in Cleartext via iControl REST When BIG-IP DNS is provisioned, a vulnerability exists in the gtm_add and bigip_add iControl REST commands that return the ssh-password parameter in cleartext in the iControl REST response and is also logged in the audit log. This may allow a highly privileged, authenticated attacker with access to the audit log to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated	Big Ip
CVE-2026-41954	May 13, 2026	F5 BIG-IP iControl REST/TMSH Authenticated Info Disclosure Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40462	May 13, 2026	F5 BIG-IP iControl REST Shell Permission Bypass (CVE202640462) Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40703	May 13, 2026	BIG-IP Config UI CSRF in Dashboard A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip