Nginx < 1.28.3 Multiple Vulnerabilities

high Web App Scanning Plugin ID 115174

Language:

Synopsis

Nginx < 1.28.3 Multiple Vulnerabilities

Description

According to its Server response header, the installed version of nginx is prior to 1.28.3 or 1.29.x prior to 1.29.7. It is, therefore, affected by the following issues :

- A vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process. (CVE-2026-27654)

- A vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination. (CVE-2026-27784)

- A vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. (CVE-2026-32647)

- When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. (CVE-2026-27651)

- NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. (CVE-2026-28753)

- A vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. (CVE-2026-28755)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to nginx version 1.28.3 or later.

See Also

https://my.f5.com/manage/s/article/K000160364

https://my.f5.com/manage/s/article/K000160366

https://my.f5.com/manage/s/article/K000160367

https://my.f5.com/manage/s/article/K000160368

https://my.f5.com/manage/s/article/K000160382

https://my.f5.com/manage/s/article/K000160383

Plugin Details

Severity: High

ID: 115174

Type: remote

Family: Component Vulnerability

Published: 3/27/2026

Updated: 3/27/2026

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C

CVSS Score Source: CVE-2026-27654

CVSS v3

Risk Factor: High

Base Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CVSS Score Source: CVE-2026-27654

CVSS v4

Risk Factor: High

Base Score: 8.8

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-27654

Vulnerability Information

CPE: cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 3/23/2026

Reference Information

CVE: CVE-2026-27651, CVE-2026-27654, CVE-2026-27784, CVE-2026-28753, CVE-2026-28755, CVE-2026-32647

CWE: 122, 125, 190, 476, 863, 93

OWASP: 2010-A1, 2010-A8, 2013-A1, 2013-A7, 2013-A9, 2017-A1, 2017-A5, 2017-A9, 2021-A1, 2021-A3, 2021-A6, 2025-A1, 2025-A10, 2025-A5, 2025-A6

WASC: Buffer Overflow, HTTP Response Splitting, Insufficient Authorization, Integer Overflows

CAPEC: 31, 34, 540, 85, 92

DISA STIG: APSC-DV-000460, APSC-DV-002560, APSC-DV-002590, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.12.6.1, 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3, sp800_53-CM-6b, sp800_53-SI-10, sp800_53-SI-16

OWASP API: 2019-API7, 2019-API8, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.1.3

PCI-DSS: 3.2-6.2, 3.2-6.5.1, 3.2-6.5.2, 3.2-6.5.8