#nginx

HTTP/2 Bomb: 5,700x Envoy, 4,000x Apache amplification via HPACK + flow control

100Mbps to 32GB via HPACK + flow control stall. Envoy 5,700:1, Apache 4,000:1. Patch status: nginx 1.29.8, mod_h2 v2.0.41, Envoy 1.35–1.38, IIS/Pingora unpatched.

nginx CVE-2026-8711 (njs) and CVE-2026-9256 (rewrite) after Rift

After Rift, two more nginx CVEs landed in late May 2026: njs js_fetch_proxy heap overflow CVE-2026-8711 and a second rewrite-module heap overflow CVE-2026-9256. Both pre-auth, CVSS v4.0 9.2, config-specific. Concrete grep checks and patch paths.

nginx CVE-2026-42945: rewrite heap overflow in 0.6.27–1.30.0, RCE without ASLR

CVE-2026-42945 hits nginx 0.6.27–1.30.0 rewrite module with heap overflow. CVSS 9.2 but only fires on specific rewrite+capture+set patterns. How to check with nginx -T and what to patch.

nginx-ui MCP Endpoint Missing Authentication (CVE-2026-33032) Exploited in the Wild, No Patch Available

A CVSS 9.8 authentication bypass in nginx-ui's /mcp_message endpoint lets unauthenticated remote attackers rewrite nginx configurations. Active exploitation confirmed, no patch yet.