PT-2026-60184 · F5 · Nginx Plus+1

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-56434

CVSS v3.1

6.5

Medium

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Name of the Vulnerable Software and Affected Versions NGINX Plus (affected versions not specified) NGINX Open Source (affected versions not specified)
Description A flaw exists in the ngx http ssi module module when Server-Side Includes (SSI), proxy pass, and proxy buffering off directives are configured. An unauthenticated attacker with man-in-the-middle (MITM) capabilities to control responses from an upstream server can trigger a use-after-free or a heap buffer over-read in the NGINX worker process. This may result in limited memory modification or a restart of the worker process. This is a data plane issue with no control plane exposure.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56434

Affected Products

Nginx Open Source
Nginx Plus