Nginx is one of the most popular web servers, powering almost one third of all websites on the internet, and is integrated into many commercial products as well. The software is also commonly used as a reverse proxy, load balancer and cache for other web applications and servers.
The CVE-2026-42945 vulnerability is located in ngx_http_rewrite_module, a component that handles URL rewrites, and impacts Nginx versions from 0.6.27 to 1.30.0. The issue has been given a 9.2 CVSS severity score and was patched in versions 1.31.0 and 1.30.1.
The commercial product, Nginx Plus, owned and developed by network and application security firm F5, is also vulnerable, and received patches in versions R36 P4, R32 P6 and 37.0.0. Other F5 products based on Nginx open source and Nginx Plus are impacted, but have not yet received updates, including Nginx Instance Manager, F5 WAF for Nginx, Nginx App Protect WAF, F5 DoS for Nginx, Nginx App Protect DoS, Nginx Gateway Fabric, and Nginx Ingress Controller.
“This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?),” F5 said in its advisory. According to the company, exploitation will result in a denial of service condition in the form of a server crash and, on systems with Address Space Layout Randomization (ASLR ) disabled, arbitrary code execution.
