Author Topic: CVE-2026-8711 - NGINX JavaScript vulnerability  (Read 116 times)

0 Members and 1 Guest are viewing this topic.

Offline
*****
CVE-2026-8711 - NGINX JavaScript vulnerability
« on: May 19, 2026, 06:13:48 PM »
CVE ID: CVE-2026-8711
Published: May 19, 2026, 3:16 p.m.
Description: NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity: 9.2 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more...

https://cvefeed.io/vuln/detail/CVE-2026-8711

I also try to keep updated CVE's pertaining to CWP at: https://sysadmin.help/viewforum.php?f=51

Offline
*****
Re: CVE-2026-8711 - NGINX JavaScript vulnerability
« Reply #1 on: May 20, 2026, 02:33:11 AM »
I think The Register's quote for the Rift vulnerability equally applies to this new CVE:
Quote
Security researcher Kevin Beaumont noted that while the bug is real, modern Linux defaults significantly reduce the likelihood of successful real-world RCE. "Regarding CVE-2026-42945 in nginx – no modern (or even old) Linux distribution runs nginx without ASLR," Beaumont said. "So, cool, sweet technical vuln – it's valid – but the RCE apocalypse ain't coming."