PT-2026-60187 · F5 · Nginx Plus

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-60065

CVSS v3.1

3.7

Low

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
When NGINX Plus is configured to use the Message Queuing Telemetry Transport (MQTT) filter module (ngx stream mqtt filter module), unauthenticated attackers can send requests with conditions beyond the attacker's control to cause a heap buffer over-read in the NGINX worker process, leading to a restart.
Impact: This vulnerability may allow remote unauthenticated attackers to have limited control to restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-60065

Affected Products

Nginx Plus