Nginx is one of the most popular web servers, powering nearly a third of all websites on the Internet, and is also integrated into many commercial products. This software is also often used as a reverse proxy, load balancer, and cache for other web applications and servers.
CVE-2026-42945 The vulnerability is located at: ngx_http_rewrite_modulea component that handles URL rewriting and affects Nginx versions 0.6.27 to 1.30.0. This issue has been given a 9.2 CVSS severity score and has been patched in versions 1.31.0 and 1.30.1.
Nginx Plus, a commercial product owned and developed by network and application security company F5, is also vulnerable and has been patched in versions R36 P4, R32 P6, and 37.0.0. Other F5 products based on Nginx open source and Nginx Plus are also affected, but have not yet received updates, including Nginx Instance Manager, F5 WAF for Nginx, Nginx App Protect WAF, F5 DoS for Nginx, Nginx App Protect DoS, Nginx Gateway Fabric, and Nginx Ingress Controller.
“This vulnerability exists when a rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl Compatible Regular Expression (PCRE) capture ($1, $2, etc.) is performed with a substitution string that contains a question mark (?),” F5 said in its advisory. According to the company, an exploit could cause a denial of service condition in the form of a server crash and execute arbitrary code on systems where Address Space Layout Randomization (ASLR) is disabled.
