NGINX Makers of nginx server
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any NGINX product.
RSS Feeds for NGINX security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in NGINX products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by NGINX Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 1 vulnerability in NGINX with an average score of 5.9 out of ten. Last year, in 2025 NGINX had 1 security vulnerability published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in NGINX in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.60.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 5.90 |
| 2025 | 1 | 4.30 |
| 2024 | 6 | 5.85 |
| 2023 | 5 | 8.42 |
| 2022 | 16 | 7.33 |
| 2021 | 2 | 8.75 |
| 2020 | 5 | 6.08 |
| 2019 | 12 | 9.23 |
| 2018 | 3 | 7.03 |
It may take a day or so for new NGINX vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent NGINX Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-1642 | Feb 04, 2026 |
NGINX TLS Proxy MITM Plain Text InjectionA vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server sidealong with conditions beyond the attacker's controlmay be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
nginx
|
| CVE-2025-23419 | Feb 05, 2025 |
Nginx TLS Session Resumption Bypass on Shared IP/Port with ClientCert AuthWhen multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
nginx
|
| CVE-2024-7347 | Aug 14, 2024 |
NGINX ngx_http_mp4 overflow crash via crafted MP4NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
nginx
|
| CVE-2024-34161 | May 29, 2024 |
NGINX QUIC Packet Leak: Undisclosed QUIC Causes Worker Process Memory LeakWhen NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory. |
nginx
|
| CVE-2024-35200 | May 29, 2024 |
NGINX: Worker Crashes via Undisclosed HTTP/3 QUIC RequestsWhen NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate. |
nginx
|
| CVE-2024-31079 | May 29, 2024 |
NGINX HTTP/3 QUIC Module Process Termination via Undisclosed RequestsWhen NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over. |
nginx
|
| CVE-2024-24989 | Feb 14, 2024 |
NGINX QUIC Crash via Undisclosed HTTP/3 Requests (CVE-2024-24989)When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . NOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated |
nginx
|
| CVE-2024-24990 | Feb 14, 2024 |
NGINX HTTP/3 QUIC Module Crashes Workers on Undisclosed RequestsWhen NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated |
nginx
|
| CVE-2023-44487 | Oct 10, 2023 |
HTTP/2 DoS via Stream Reset in nginxThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
nginx
|
| CVE-2023-27730 | Apr 09, 2023 |
Nginx NJS 0.7.10 SeGV via njs_lvlhsh_find (CVE-2023-27730)Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_lvlhsh_find at src/njs_lvlhsh.c. |
Njs
|