AI description
CVE-2026-56434 is a use-after-free vulnerability found in the `ngx_http_ssi_module` of NGINX Plus and NGINX Open Source. This flaw specifically manifests when Server-Side Includes (SSI), `proxy_pass`, and `proxy_buffering off` directives are configured simultaneously. An unauthenticated attacker with man-in-the-middle (MITM) capabilities can exploit this vulnerability by controlling responses from an upstream server. This can trigger a use-after-free condition within the NGINX worker process, potentially leading to limited modification of memory contents or a restart of the NGINX worker process.
- Description
- NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssi_module module. This vulnerability may exist when the Server-Side Includes (SSI), proxy_pass, and proxy_buffering off directives are configured. With this configuration, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to cause a use-after-free in the NGINX worker process. This issue may lead to limited modification of memory or a restart of the NGINX worker process. Impact: This vulnerability may allow remote attackers to have limited control to modify memory contents or restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- Source
- f5sirt@f5.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 8.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
CVSS 3.1
- Type
- Secondary
- Base score
- 6.5
- Impact score
- 4.2
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
- Severity
- MEDIUM
- f5sirt@f5.com
- CWE-416
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
1
nginx releases security updates (1.30.4 & 1.31.3): Fixes include: • CVE-2026-42533 – Buffer overflow • CVE-2026-60005 – Memory disclosure • CVE-2026-56434 – Use-after-free Update as soon as possible. #nginx #Vulnerability
@ThreatByte
17 Jul 2026
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2026-42533, CVE-2026-60005 & CVE-2026-56434: F5 has disclosed three high-severity vulnerabilities affecting NGINX Plus and NGINX Open Source, potentially leading to memory corruption, worker crashes, or remote code execution. #CyberSecurity #CVE #NGINX #F5 #ThreatWi
@ThreatWire_
16 Jul 2026
52 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔴 NGINX kullanıcılarının dikkatine! F5, NGINX ve NGINX Plus'ı etkileyen 3 yüksek önem dereceli güvenlik açığını duyurdu. • CVE-2026-42533 – Heap Buffer Overflow • CVE-2026-60005 – Uninitialized Memory Disclosure • CVE-2026-56434 – Use-After-Free Etk
@ridvanyagli
16 Jul 2026
197 Impressions
1 Retweet
2 Likes
2 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2026-56434: NGINX ngx_http_ssi_module vulnerability Critical Vulnerability Alert! Nginx is affected by CVE-2026-56434. Full Vulnerability Details & Analysis at DarkEye: 🔗 https://t.co/xdE1q0TbQ3 🔍 Identify Targets via ZoomEye: Filter: vul.cve="CVE-2026-5643
@zoomeye_team
16 Jul 2026
4164 Impressions
18 Retweets
46 Likes
22 Bookmarks
2 Replies
1 Quote
NGINX release-1.30.4 patches CVE-2026-42533 Critical security vulnerabilities (CVE-2026-42533, CVE-2026-60005, CVE-2026-56434) fixed. Upgrade carefully. → https://t.co/aKovKRAYKK
@ReleasePort
16 Jul 2026
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
F5 patched the NGINX code execution flaw CVE-2026-42533, along with CVE-2026-60005 and CVE-2026-56434. Update NGINX Plus and Open Source builds now. #NGINX #CVE202642533 #CodeExecution #F5 #Vulnerability https://t.co/cds4Vr6BxO
@Daily_CyberSec
16 Jul 2026
571 Impressions
2 Retweets
9 Likes
3 Bookmarks
0 Replies
0 Quotes