Zero Day MonitorZDM

← Back to list

9.2

CVE-2026-42945EXPLOITEDPATCHED

f5 · nginx plus

NGINX ngx_http_rewrite_module vulnerability

Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected Products

Vendor	Product	Versions
f5	nginx plus	R36, R32, 0.6.27, 1.30.0

References

https://my.f5.com/manage/s/article/K000161019(vendor-advisory, patch)

Related News (5 articles)

Tier E

Hacker News54m ago

CVE-2026-42945 – Critical heap buffer overflow in Nginx ngx_HTTP_rewrite_module

→ No new info (linked only)

Tier E

Lobsters Security1h ago

Achieving NGINX Remote Code Execution via an 18-Year-Old Vulnerability

→ No new info (linked only)

Tier C

oss-security2h ago

NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945

→ No new info (linked only)

Tier C

VulDB4h ago

CVE-2026-42945 | F5 NGINX Plus/NGINX Open Source HTTP ngx_http_rewrite_module heap-based overflow (K000161019)

→ No new info (linked only)

Tier E

Hacker News4h ago

Nginx Rift: RCE via heap buffer overflow in rewrite module (CVE-2026-42945)

→ No new info (linked only)

CVSS 3.19.2 CRITICAL

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.31.01.30.1

CWECWE-122

PublishedMay 13, 2026

Last enriched1h agov3

Tags

CVE-2026-42945

Trending Score75

Source articles5

Independent4

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-40701EXP

NGINX ngx_http_ssl_module vulnerability

MEDIUMCVE-2026-42934EXP

NGINX ngx_http_charset_module vulnerability

HIGHCVE-2026-40629EXP

BIG-IP SSL/TLS vulnerability

HIGHCVE-2026-40618EXP

BIG-IP SSL/TLS vulnerability

HIGHCVE-2026-40060EXP

BIG-IP Advanced WAF and ASM vulnerability

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 13, 2026

Discovered by ZDM

May 13, 2026

Updated: description, severity, activelyExploited

May 13, 2026

Actively Exploited

May 13, 2026

Patch Available

May 13, 2026

Updated: affectedVersions, severity, cvssEstimate, patchAvailable, tags

May 13, 2026

Version History

v3

Last enriched 1h ago

v3Tier C1h ago

Updated affected versions to include 1.30.0, changed severity to CRITICAL, updated CVSS score to 9.2, and added new tags.

affectedVersionsseveritycvssEstimatepatchAvailabletags

via oss-security

v2Tier C4h ago

Updated vendor to F5, product to NGINX Open Source, severity to CRITICAL, and noted that there is no exploit available.

descriptionseverityactivelyExploited

via VulDB

v14h ago

Initial creation