SCA: security update for github.com/0xJacky/Nginx-UI (GHSA-h27v-ph7w-m9fp)

critical Tenable Self-Hosted Container Security Plugin ID 441282

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an
unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance
during the first-run setup window. The public /api/install endpoint is reachable without authentication,
and the request-encryption flow only protects payload confidentiality in transit; it does not authenticate
who is allowed to perform installation. A remote attacker who reaches the service before the legitimate
operator can set the admin email, username, and password, causing permanent initial-instance takeover.
This issue has been patched in version 2.3.8. (CVE-2026-42221)

Solution

Update the github.com/0xJacky/Nginx-UI library and its related packages to version 2.3.8 or later.

See Also

https://github.com/advisories/GHSA-h27v-ph7w-m9fp

Plugin Details

Severity: Critical

ID: 441282

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 5/6/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.84

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-42221

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/6/2026

Vulnerability Publication Date: 5/4/2026

Reference Information

CVE: CVE-2026-42221

cwe: CWE-306