CVE-2026-8711 - NGINX JavaScript vulnerability
Posted: Tue May 19, 2026 6:09 pm
CVE ID: CVE-2026-8711
Published: May 19, 2026, 3:16 p.m.
Description: NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
https://cvefeed.io/vuln/detail/CVE-2026-8711
Published: May 19, 2026, 3:16 p.m.
Description: NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
https://cvefeed.io/vuln/detail/CVE-2026-8711