—

CVE-2026-33028EXPLOITEDPATCHED

go · github.com/0xjacky/nginx-ui

Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.

Affected Products

Vendor	Product	Versions
go	github.com/0xjacky/nginx-ui	go/github.com/0xJacky/Nginx-UI: <= 1.99, go/github.com/uozi-tech/cosy: <= 1.30.0

References

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4(x_refsource_CONFIRM)
https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB6h ago

CVE-2026-33028 | 0xJacky nginx-ui up to 2.3.3 app.ini race condition (GHSA-m468-xcm6-fxg4)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch availablegithub.com/uozi-tech/cosy@1.30.1

CWECWE-362

PublishedMar 30, 2026

Last enriched5h agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-33032EXP

Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover

Trending: 71

MEDIUMCVE-2026-33027EXP

Nginx UI: Improper Path Validation Allows Recursive Deletion of the Nginx Configuration Directory

Trending: 59

CRITICALCVE-2026-34041EXP

act: Unrestricted set-env and add-path command processing enables environment injection

Trending: 33

HIGHCVE-2026-33030

Nginx UI: Unencrypted Storage of DNS API Tokens and ACME Private Keys

Trending: 27

MEDIUMCVE-2026-33029

Nginx UI: DoS via Negative Integer Input in Logrotate Interval

Trending: 23

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 30, 2026

Discovered by ZDM

Mar 30, 2026

Updated: description, affectedVersions, severity, activelyExploited

Mar 30, 2026

Actively Exploited

Mar 30, 2026

Patch Available

Mar 30, 2026

Version History

Last enriched 5h ago

v2Tier C5h ago

Updated vendor to 0xJacky, product to nginx-ui, severity to HIGH, and affected versions to < 2.3.3, while also correcting exploit availability and adding a new CVE ID.

descriptionaffectedVersionsseverityactivelyExploited

via VulDB

v18h ago

Initial creation