Zero Day MonitorZDM

← Back to list

0.0

CVE-2026-33029PATCHED

go · github.com/0xjacky/nginx-ui

Nginx UI: DoS via Negative Integer Input in Logrotate Interval

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive. This issue has been patched in version 2.3.4.

Affected Products

Vendor	Product	Versions
go	github.com/0xjacky/nginx-ui	go/github.com/0xJacky/Nginx-UI: <= 1.99

References

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-cp8r-8jvw-v3qg(x_refsource_CONFIRM)
https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB8h ago

CVE-2026-33029 | 0xJacky nginx-ui up to 2.3.3 Web Interface denial of service (GHSA-cp8r-8jvw-v3qg)

→ No new info (linked only)

CVSS 3.10.0 MEDIUM

CISA KEV❌ No

Actively exploited❌ No

Patch available2.3.4

CWECWE-20

PublishedMar 30, 2026

Last enriched7h agov2

Tags

GHSA-cp8r-8jvw-v3qggo

Trending Score23

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-33032EXP

Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover

MEDIUMCVE-2026-33027EXP

Nginx UI: Improper Path Validation Allows Recursive Deletion of the Nginx Configuration Directory

HIGHCVE-2026-33028EXP

Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse

MEDIUMCVE-2026-33990

Docker Model Runner OCI Registry Client Vulnerable to Server-Side Request Forgery (SSRF)

NONECVE-2026-34041EXP

act: Unrestricted set-env and add-path command processing enables environment injection

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 30, 2026

Discovered by ZDM

Mar 30, 2026

Patch Available

Mar 30, 2026

Updated: affectedVersions, severity, cvssEstimate, patchAvailable

Mar 30, 2026

Version History

v2

Last enriched 7h ago

v2Tier C7h ago

Updated vendor to 0xJacky, product to nginx-ui, affected versions to 2.3.3, severity to HIGH, and patch available to version 2.3.4.

affectedVersionsseveritycvssEstimatepatchAvailable

via VulDB

v110h ago

Initial creation