CVE ID: CVE-2026-8711
Published: May 19, 2026, 3:16 p.m.
Description: NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
https://cvefeed.io/vuln/detail/CVE-2026-8711
CVE-2026-8711 - NGINX JavaScript vulnerability
-
Starburst-David
- Posts: 53
- Joined: Wed Feb 11, 2026 8:31 pm
Re: CVE-2026-8711 - NGINX JavaScript vulnerability
That's crazy! The opposite advice is recommended -- make sure Address Space Layout Randomization (ASLR) is ENABLED to prevent remote code execution (RCE).Solution
Disable ASLR if possible.