Changeflow GovPing Data Privacy & Cybersecurity NGINX Plus and NGINX Vulnerabilities
Priority review Notice Amended Final

NGINX Plus and NGINX Vulnerabilities

Favicon for wid.cert-bund.de CERT-Bund Security Advisories
Published March 24th, 2026
Detected March 25th, 2026
Email

Summary

CERT-Bund has issued a security advisory regarding multiple vulnerabilities in NGINX and NGINX Plus, with a CVSS base score of 8.2. The vulnerabilities affect Linux, UNIX, and Windows operating systems and can be exploited remotely to cause denial of service, data manipulation, bypass security measures, and potentially execute arbitrary code.

View original document View source feed page

What changed

CERT-Bund has released a security advisory (WID-SEC-2026-0860) detailing critical vulnerabilities affecting NGINX and NGINX Plus web server software. The advisory highlights a CVSS base score of 8.2, indicating a high severity. The vulnerabilities impact versions of NGINX Plus prior to R36 P3, R35 P2, and R32 P5, as well as NGINX versions prior to 1.29.7 and 1.28.3, across Linux, UNIX, and Windows operating systems.

Exploitation of these vulnerabilities could allow a remote attacker to perform a denial-of-service attack, manipulate data, bypass security controls, and potentially execute arbitrary code. Organizations using affected versions of NGINX or NGINX Plus should consult the advisory for specific mitigation strategies and apply available patches or updates to prevent potential security breaches. The advisory notes that mitigation is available, implying that patching or configuration changes can address the risks.

What to do next

  1. Review NGINX and NGINX Plus versions against advisory WID-SEC-2026-0860
  2. Apply available patches or mitigation strategies for affected versions
  3. Monitor for further updates from CERT-Bund and NGINX

Source document (simplified)

[WID-SEC-2026-0860] NGINX und NGINX Plus: Mehrere Schwachstellen CVSS Base Score 8.2 (hoch) CVSS Temporal Score 7.1 (hoch) Remoteangriff ja Datum 24.03.2026 Stand 25.03.2026 Mitigation ja

Betroffene Systeme

Betriebssystem

  • Linux
  • UNIX
  • Windows

Produktbeschreibung

NGINX Plus ist die kommerzielle Variante von NGINX, einer Webserver-, Reverse Proxy- und E-Mail Proxy Software.
NGINX ist eine Webserver-, Reverse Proxy- und E-Mail-Proxy Software.

Produkte

24.03.2026
- NGINX NGINX Plus <R36 P3

  • NGINX NGINX Plus <R35 P2

  • NGINX NGINX Plus <R32 P5

  • NGINX NGINX <1.29.7

  • NGINX NGINX <1.28.3

Angriff

Angriff

Ein Angreifer kann mehrere Schwachstellen in NGINX Plus und NGINX ausnutzen, um einen Denial of Service Angriff durchzuführen, um Daten zu manipulieren, um Sicherheitsvorkehrungen zu umgehen, und potenziell um beliebigen Programmcode auszuführen. CVE Informationen Versionshistorie Feedback zum Advisory geben

Named provisions

Betroffene Systeme Angriff

Related changes

Favicon for wid.cert-bund.de Apple Xcode Vulnerabilities Allow Information Disclosure, Denial of Service
Priority review Mar 25, 2026 CERT-Bund Security Advisories Data Privacy & Cybersecurity
Favicon for wid.cert-bund.de NATS Server Vulnerabilities Allow Remote Attackers to Disclose/Manipulate Info, Cause DoS
Priority review Mar 25, 2026 CERT-Bund Security Advisories Data Privacy & Cybersecurity
Favicon for wid.cert-bund.de Linux Kernel Vulnerabilities Allow DoS, Code Execution
Urgent Mar 25, 2026 CERT-Bund Security Advisories Data Privacy & Cybersecurity
Favicon for oig.hhs.gov HHS FISMA Compliance Report: Not Effective, 10 Recommendations Made
Priority review Mar 25, 2026 HHS OIG Reports & Publications Healthcare
Favicon for changeflow.com EPO Patent EP3286707A1: Authentication Server for Electronic Devices
Routine Mar 25, 2026 ChangeBridge: EPO Bulletin - Business Methods (G06Q) Banking & Finance
Favicon for changeflow.com EPO Patent EP4028954A1: Continuous Learning for Fraud Detection
Routine Mar 25, 2026 ChangeBridge: EPO Bulletin - Business Methods (G06Q) Banking & Finance

Source

Favicon for wid.cert-bund.de
CERT-Bund Security Advisories wid.cert-bund.de/content/public/securityAdvisory/rss
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CERT-Bund
Published
March 24th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
WID-SEC-2026-0860

Who this affects

Applies to
Technology companies
Industry sector
5112 Software & Technology
Activity scope
Web Server Management Network Security
Geographic scope
Germany DE

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Web Security Network Infrastructure

Browse Categories

Agriculture & Food Safety 61 AI Regulation 3 Banking & Finance 238 Consumer Protection 41 Courts & Legal 323 Data Privacy & Cybersecurity 64 Defense & National Security 48 Education 20 Energy 105 Environment 83 Government & Legislation 264 Healthcare 131 Housing 16 Immigration 9 Insurance 56 Labor & Employment 111 Legal & Courts 1 Pharma & Drug Safety 99 Securities & Markets 80 Tax 64 Telecom & Technology 48 Trade & Sanctions 124 Transportation 56

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CERT-Bund Security Advisories publishes new changes.

Free. Unsubscribe anytime.