{"vulnerability": "CVE-2026-42945", "sightings": [{"uuid": "9af3719f-b415-44d5-8c67-6f1eaf5cf09f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlqurxic4y2o", "content": "CVE-2026-42945 - NGINX ngx_http_rewrite_module vulnerability\nCVE ID : CVE-2026-42945\n \n Published : May 13, 2026, 2:12 p.m. | 2\u00a0hours, 12\u00a0minutes ago\n \n Description : NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module\u00a0module. This vulnerabilit...", "creation_timestamp": "2026-05-13T17:56:00.842089Z"}, {"uuid": "081c8fdf-1542-4711-9fdc-6a92b026aee8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/cR0w/statuses/116568862985647331", "content": "RE: https://infosec.exchange/@cR0w/116568840324508660\nPlenty of prerequisites but worth looking into.\nhttps://my.f5.com/manage/s/article/K000161019\n\nNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. (CVE-2026-42945)", "creation_timestamp": "2026-05-13T19:14:52.543687Z"}, {"uuid": "d4589600-d699-4c51-aa53-38cc58d48cc2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://mstdn.social/users/jschauma/statuses/116570913453757279", "content": "CVE-2026-42945: Possible RCE in NGINX:\nhttps://depthfirst.com/nginx-rift\nRequires a specific regex based rewrite directive like\nrewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last;\nhttps://my.f5.com/manage/s/article/K000161019\n(Of course also found & published by some AI platform. At least they told F5 first.)\nAnd there's a bunch of other vulns in nginx that just dropped, but good luck keeping track if the list of security advisories contains no dates:\nhttps://nginx.org/en/security_advisories.html", "creation_timestamp": "2026-05-14T03:56:21.171214Z"}, {"uuid": "78ff4336-02a6-4835-9aeb-d124c86b34e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/jschauma.mstdn.social.ap.brid.gy/post/3mlrwe7sfxxu2", "content": "CVE-2026-42945: Possible RCE in NGINX:\n\nhttps://depthfirst.com/nginx-rift\n\nRequires a specific regex based rewrite directive like\n\nrewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last;\n\nhttps://my.f5.com/manage/s/article/K000161019\n\n(Of course also found & published by some AI [\u2026]", "creation_timestamp": "2026-05-14T04:01:33.020888Z"}, {"uuid": "a4f5cb7d-fc78-4ca9-bb45-ee5164835b51", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/harrysintonen/statuses/116569411966488420", "content": "CVE-2026-42945 Heap-based Buffer Overflow in #nginx combined with the linux kernel LPEs is \"not great\" as we say in the industry.\nhttps://depthfirst.com/nginx-rift\n#CVE_2026_42945", "creation_timestamp": "2026-05-13T21:34:29.567906Z"}, {"uuid": "31722fc4-8ec9-438f-b2a0-22066997cff1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/yukotan.bsky.social/post/3mls6mn6yls23", "content": "\u3053\u308c\u306d\n\nCritical 18-Year-Old NGINX RCE (CVE-2026-42945) and GitHub PoC Disclosed \nsecurityonline.info/nginx-rce-vu...", "creation_timestamp": "2026-05-14T06:24:21.653039Z"}, {"uuid": "d9d4f2f9-779e-4c6d-9315-8bf2024ab40b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hatena-bookmark.bsky.social/post/3mlrq5eb7ca2m", "content": "#\ud83d\udd16\u30c6\u30af\u30ce\u30ed\u30b8\u30fc\nNGINX Rift\n\nCVE-2026-42945 \u00b7 Heap-based Buffer Overflow \u00b7 CVSS v4.0 9.2 (Critical) found autonomously by depthfirst NGINX Rift An 18 year old memory corruption flaw in NGINX Plus and NGINX Open Source lets an unauthenticated attacker crash worker processes or execute remote code with craft", "creation_timestamp": "2026-05-14T02:05:11.569517Z"}, {"uuid": "8edb837d-eb25-4d59-9de0-96d7c7f0b34c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/kubonai.bsky.social/post/3mlsb6fsmet2a", "content": "CVE-2026-42945: Critical NGINX Heap Buffer Overflow RCE Vulnerability\n\nCVE-2026-42945 is a critical NGINX vulnerability (CVSS 9.2) hiding in ngx_http_rewrite_module for 18 years. A public PoC ex...\n\n\ud83d\udd17 https://ipsec.live/blog/cve-2026-42945-nginx-heap-buffer-overflow\n\n#infosec #cybersecurity", "creation_timestamp": "2026-05-14T07:09:59.377157Z"}, {"uuid": "3602732b-d7e5-4bfe-a731-e51bff4fd9e5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/1SOBBgvcIqPC2HdBO73HfJmtzy7hfeZMdIE0nBIzwgN91l0", "content": "", "creation_timestamp": "2026-05-14T07:00:14.000000Z"}, {"uuid": "3a6a64dd-f497-41bc-8785-8401c43398ee", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/thehackernews/8997", "content": "\u26a1 An 18-year-old flaw in NGINX can let unauthenticated attackers run code or crash servers using crafted HTTP requests.\n\nTracked as CVE-2026-42945 and named NGINX Rift, the bug affects NGINX Plus and Open Source.\n\nPatch details and mitigation steps: https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html", "creation_timestamp": "2026-05-14T06:10:17.000000Z"}, {"uuid": "6b9bcaef-2e6d-40ea-bee2-c65bc2cf5e87", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://cyberplace.social/users/GossiTheDog/statuses/116572643931253811", "content": "CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)\nIt relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it.  To reach RCE, also ASLR needs to have been disabled on the box.\nThe PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.", "creation_timestamp": "2026-05-14T11:17:02.377324Z"}, {"uuid": "684ee04e-95c0-4f0b-b1d6-6863656dafa4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/tomcat/statuses/116572672199510588", "content": "\u26a1 An 18-year-old flaw in NGINX can let unauthenticated attackers run code or crash servers using crafted HTTP requests.\nTracked as CVE-2026-42945 and named NGINX Rift, the bug affects NGINX Plus and Open Source.\nPatch details and mitigation steps: https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html", "creation_timestamp": "2026-05-14T11:23:35.922821Z"}, {"uuid": "971780d6-4f19-4c46-a624-c3eb84d18fc5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://mastodon.social/users/hrbrmstr/statuses/116572847528970537", "content": "The EasyEngine tutorial, StackPointer, WPMU DEV, Stack Overflow, and the WordPress.org forums all reference this same pattern.\nThis can easily be chained with one (or both) of two recent and trivial-to-exploit local privilege escalation Linux vulns.\nIn the words of @krypt3ia :\nwe doomed.\nHOWEVER: I threw together a small Bash script that tries to detect whether a given conf file or directory of nginx configs has vulnerable directives. You can find it at:\nhttps://git.sr.ht/~hrbrmstr/cve-2026-42945-scanner\u2026 (2/3)", "creation_timestamp": "2026-05-14T12:08:28.141923Z"}, {"uuid": "1eb9586f-f049-4f89-87c6-ce42fc4bb164", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html", "content": "Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years.\nThe vulnerability, discovered by depthfirst, is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a", "creation_timestamp": "2026-05-14T04:00:09.000000Z"}, {"uuid": "64fc25b9-dfbe-445d-ab19-5283b0ada87b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/r-netsec-bot.bsky.social/post/3mlsmaqwxcj2g", "content": "CVE-2026-42945 : NGINX Heap Buffer Overflow in rewrite module - Writeup and PoC", "creation_timestamp": "2026-05-14T10:28:10.239253Z"}, {"uuid": "7eef58b8-ba58-4b94-8f71-e2dee60a2d0f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/r-netsec.bsky.social/post/3mlsmv4rbyo2w", "content": "CVE-2026-42945 : NGINX Heap Buffer Overflow in rewrite module - Writeup and PoC", "creation_timestamp": "2026-05-14T10:39:32.828853Z"}, {"uuid": "3154705b-d4ad-4543-82c1-464af34dc814", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/K_yHCshI6yZBJj8Foftsx5hfP7GLhbMmJ81CYC3g7d-oupU", "content": "", "creation_timestamp": "2026-05-14T11:00:13.000000Z"}, {"uuid": "80304a67-35c2-46c7-a7c4-e9c88a80a8f3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84220", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-42945\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a rheodev\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 1  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-14 13:27:53\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nNGINX Rift \u6f0f\u6d1e\u5206\u6790\u4e0e\u590d\u73b0\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-14T14:00:04.000000Z"}, {"uuid": "aeae35e8-5284-474a-816e-76b8011cac9f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/oxfemale.bsky.social/post/3mlt4vtlmna2s", "content": "As Head of Security, I would classify\u00a0CVE-2026-42945, also known as\u00a0NGINX Rift, as an urgent edge-infrastructure vulnerability.\nhttps://core-jmp.org/2026/05/nginx-rift-the-18-year-old-rewrite-bug-that-turned-a-single-http-request-into-potential-rce/", "creation_timestamp": "2026-05-14T15:26:17.741044Z"}, {"uuid": "856a4646-9e4e-4b83-85b9-3cc2c5813240", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/dErCEnN1e7TY-t0OSb3ozOiPhjFHpmm6ygmc27OPsCgAOz4", "content": "", "creation_timestamp": "2026-05-14T15:00:16.000000Z"}, {"uuid": "13f33583-e0d3-423d-9595-72a033558dff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlrrkr5rym2j", "content": "Top 3 CVE for last 7 days:\nCVE-2026-43284: 134 interactions\nCVE-2026-43500: 99 interactions\nCVE-2026-31431: 73 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-46300: 14 interactions\nCVE-2026-42945: 7 interactions\nCVE-2025-8088: 6 interactions\n", "creation_timestamp": "2026-05-14T02:30:34.787585Z"}, {"uuid": "1650b958-febf-442a-983e-7a4c7c57f697", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/8KrClztxOpt43Dn04vWbNfDSJz2auxqrQryTcHMCR_fwseY", "content": "", "creation_timestamp": "2026-05-14T15:00:07.000000Z"}, {"uuid": "99eff52c-7f48-4cf4-9d53-3bfc619a9166", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/tongzhuodeni.bsky.social/post/3mlrslabuxk2u", "content": "\u5341\u516b\u5e74\u6ca1\u4eba\u78b0\u7684\u90a3\u6bb5\u4ee3\u7801\uff0c\u78b0\u4e0a\u4e86\u5c31\u662f\u5927\u4e8b\u3002\n\nNGINX \u88ab\u66dd\u4e25\u91cd\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0cCVSS 9.2\uff0c\u6e90\u4e8e 2008 \u5e74\u5f15\u5165\u7684\u4ee3\u7801\u903b\u8f91\uff0c\u5f71\u54cd\u5168\u7403\u6570\u4ebf\u670d\u52a1\u5668\u3002\u653b\u51fb\u8005\u65e0\u9700\u8ba4\u8bc1\u5373\u53ef\u5229\u7528\uff0c\u5df2\u53d1\u5e03\u4fee\u590d\u7248\u672c\u3002\n\n\u6d88\u606f\u6765\u6e90\uff1aDepthfirst\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42945", "creation_timestamp": "2026-05-14T02:49:04.993051Z"}, {"uuid": "ffbf3c32-3a4d-4033-955e-ac9a2637aa4c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/thecascading.bsky.social/post/3mlrt43253u22", "content": "\ud83d\udd34 NGINX http_rewrite \u6a21\u5757\u6f0f\u6d1e\uff1b\u6216\u4f1a\u5bfc\u81f4\u5806\u6ea2\u51fa\u751a\u81f3\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\n\n- \u6f0f\u6d1e\u7684\u8d77\u56e0\u662f nginx \u5c1d\u8bd5\u5c06 escape \u8fc7\u7684 URL \u5199\u5165\u672a escape \u957f\u5ea6\u7684\u5185\u5b58\u3002\n- \u5728 ASLR \u672a\u88ab\u5f00\u542f\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u4ee5\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\n- \u4fee\u590d\u5df2\u4e8e 1.30.1/1.31.0 \u53d1\u5e03\u3002\n\n1. https://depthfirst.com/nginx-rift\n2. my.f5.com/~\n\nCVE: CVE-2026-42945\nCVSS: 9.2 (F5 Networks)\nAffect: [0.6.27, 1.30.0] ... [1/2]", "creation_timestamp": "2026-05-14T02:58:08.480955Z"}, {"uuid": "9b833f6a-5956-4c3a-b8b6-138470a37412", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/shortinfo.bsky.social/post/3mltd3jvi4d2q", "content": "An 18-year-old heap overflow in NGINX's rewrite module, named NGINX Rift (CVE-2026-42945, CVSS 9.2), lets an unauthenticated attacker crash workers or, with ASLR off, gain RCE via a single crafted HTTP request. Affects 0.6.27 to 1.30.0 and Plus R32-R36. Patch: 1.30.1 or 1.31.0.", "creation_timestamp": "2026-05-14T17:16:51.642379Z"}, {"uuid": "fb7d0e5e-9d65-4060-b321-e094e18e075f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/true_secator/8204", "content": "\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b\u0438 \u043c\u043d\u043e\u0433\u043e\u0447\u0438\u0441\u043b\u0435\u043d\u043d\u044b\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u0445 NGINX Plus \u0438 NGINX Open, \u0432\u043a\u043b\u044e\u0447\u0430\u044f \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0443\u044e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043e\u0441\u0442\u0430\u0432\u0430\u043b\u0430\u0441\u044c \u043d\u0435\u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043d\u043e\u0439 \u0432 \u0442\u0435\u0447\u0435\u043d\u0438\u0435 18 \u043b\u0435\u0442.\n\n\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u044f\u044f \u0431\u044b\u043b\u0430\u00a0\u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u043f\u0440\u0438 \u0443\u0447\u0430\u0441\u0442\u0438\u0438 depthfirst \u0438 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0441\u043e\u0431\u043e\u0439 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0443 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u0431\u0443\u0444\u0435\u0440\u0430 \u0432 \u043a\u0443\u0447\u0435, \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u044e\u0449\u0443\u044e \u043c\u043e\u0434\u0443\u043b\u044c ngx_http_rewrite_module (CVE-2026-42945, CVSS v4: 9.2), \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c RCE \u0438\u043b\u0438 \u0432\u044b\u0437\u0432\u0430\u0442\u044c DoS \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432. \u041e\u043d\u0430 \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0430 \u0443\u0441\u043b\u043e\u0432\u043d\u043e\u0435 \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435\u00a0NGINX Rift.\n\n\u041a\u0430\u043a \u043e\u0442\u043c\u0435\u0447\u0430\u0435\u0442 F5, \u0432 \u043c\u043e\u0434\u0443\u043b\u044f\u0445 ngx_http_rewrite_module \u0432 NGINX Plus \u0438 NGINX Open Source \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0432\u043e\u0437\u043d\u0438\u043a\u0430\u0435\u0442, \u043a\u043e\u0433\u0434\u0430 \u0437\u0430 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u043e\u0439 rewrite \u0441\u043b\u0435\u0434\u0443\u0435\u0442 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0430 rewrite, if \u0438\u043b\u0438 set, \u0430 \u0442\u0430\u043a\u0436\u0435 \u043d\u0435\u043d\u0430\u0437\u0432\u0430\u043d\u043d\u044b\u0439 \u0437\u0430\u0445\u0432\u0430\u0442 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e Perl-\u0441\u043e\u0432\u043c\u0435\u0441\u0442\u0438\u043c\u043e\u0433\u043e \u0440\u0435\u0433\u0443\u043b\u044f\u0440\u043d\u043e\u0433\u043e \u0432\u044b\u0440\u0430\u0436\u0435\u043d\u0438\u044f (PCRE) (\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, $1, $2) \u0441 \u0437\u0430\u043c\u0435\u043d\u043e\u0439 \u0441\u0442\u0440\u043e\u043a\u0438, \u0432\u043a\u043b\u044e\u0447\u0430\u044e\u0449\u0435\u0439 \u0432\u043e\u043f\u0440\u043e\u0441\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u0437\u043d\u0430\u043a (?).\n\n\u041d\u0435\u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u044d\u0442\u0443 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u044f \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0435 HTTP-\u0437\u0430\u043f\u0440\u043e\u0441\u044b, \u0447\u0442\u043e \u0432\u044b\u0437\u043e\u0432\u0435\u0442 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0431\u0443\u0444\u0435\u0440\u0430 \u043a\u0443\u0447\u0438 \u0432 \u0440\u0430\u0431\u043e\u0447\u0435\u043c \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0435 NGINX \u0438 \u043f\u0440\u0438\u0432\u0435\u0434\u0435\u0442 \u043a \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u043a\u0443.\n\n\u041a\u0440\u043e\u043c\u0435 \u0442\u043e\u0433\u043e, \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u0445 \u0441 \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u043e\u0439 \u0440\u0430\u043d\u0434\u043e\u043c\u0438\u0437\u0430\u0446\u0438\u0435\u0439 \u0440\u0430\u0441\u043f\u043e\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u0430\u0434\u0440\u0435\u0441\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0441\u0442\u0432\u0430 (ASLR) \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u043a\u043e\u0434\u0430.\n\n\u0414\u0430\u043d\u043d\u0430\u044f \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0431\u044b\u043b\u0430 \u0440\u0435\u0448\u0435\u043d\u0430 \u0432 \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0445 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 \u043f\u043e\u0441\u043b\u0435 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u044f 21 \u0430\u043f\u0440\u0435\u043b\u044f: NGINX Plus R32 - R36 (\u0432 R32 P6 \u0438 R36 P4), NGINX Open Source 1.0.0 - 1.30.0 (\u0432 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 1.30.1 \u0438 1.31.0), 0.6.27 - 0.9.7 (\u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043d\u0435 \u043f\u043b\u0430\u043d\u0438\u0440\u0443\u044e\u0442\u0441\u044f), NGINX Instance Manager 2.16.0 - 2.21.1, F5 WAF \u0434\u043b\u044f NGINX 5.9.0 - 5.12.1, NGINX App Protect WAF 4.9.0 - 4.16.0, NGINX App Protect WAF 5.1.0 - 5.8.0, F5 DoS \u0434\u043b\u044f NGINX 4.8.0, NGINX App Protect DoS 4.3.0 - 4.7.0, NGINX Gateway Fabric 1.3.0 - 1.6.2, 2.0.0 - 2.5.1, \u0430 \u0442\u0430\u043a\u0436\u0435 NGINX Ingress Controller 3.5.0 - 3.7.2, 4.0.0 - 4.0.1 \u0438 5.0.0 - 5.4.1.\n\n\u0412 \u0441\u0432\u043e\u0435\u043c \u0441\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u043e\u043c \u0443\u0432\u0435\u0434\u043e\u043c\u043b\u0435\u043d\u0438\u0438 depthfirst \u0441\u043e\u043e\u0431\u0449\u0430\u0435\u0442, \u0447\u0442\u043e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c\u0443 \u043d\u0435\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u043f\u043e\u0432\u0440\u0435\u0434\u0438\u0442\u044c \u043a\u0443\u0447\u0443 \u0440\u0430\u0431\u043e\u0447\u0435\u0433\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 NGINX, \u043e\u0442\u043f\u0440\u0430\u0432\u0438\u0432 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 URI.\n\n\u0421\u0435\u0440\u044c\u0435\u0437\u043d\u043e\u0441\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0437\u0430\u043a\u043b\u044e\u0447\u0430\u0435\u0442\u0441\u044f \u0432 \u0442\u043e\u043c, \u0447\u0442\u043e \u043e\u043d\u0430 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0430 \u0431\u0435\u0437 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438, \u043c\u043e\u0436\u0435\u0442 \u043d\u0430\u0434\u0435\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u0434\u043b\u044f \u0432\u044b\u0437\u044b\u0432\u0430\u043d\u0438\u044f \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043a\u0443\u0447\u0438 \u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c\u0443 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044e \u043a\u043e\u0434\u0430 \u0432 \u0440\u0430\u0431\u043e\u0447\u0435\u043c \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0435 NGINX.\n\n\u0417\u0430\u043f\u0438\u0441\u044c \u0431\u0430\u0439\u0442\u043e\u0432 \u043f\u043e\u0441\u043b\u0435 \u0432\u044b\u0434\u0435\u043b\u0435\u043d\u0438\u044f \u043f\u0430\u043c\u044f\u0442\u0438 \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0434\u0438\u0442 \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 URI \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u0438\u0441\u043a\u0430\u0436\u0435\u043d\u0438\u0435 \u0434\u0430\u043d\u043d\u044b\u0445 \u0444\u043e\u0440\u043c\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u0441\u0430\u043c\u0438\u043c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u043e\u043c, \u0430 \u043d\u0435 \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0434\u0438\u0442 \u0441\u043b\u0443\u0447\u0430\u0439\u043d\u044b\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c. \u041f\u043e\u0432\u0442\u043e\u0440\u043d\u044b\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u0442\u0430\u043a\u0436\u0435 \u043c\u043e\u0433\u0443\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u0434\u043b\u044f \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0430\u043d\u0438\u044f \u0446\u0438\u043a\u043b\u043e\u0432 \u0441\u0431\u043e\u0435\u0432 \u0438 \u0441\u043d\u0438\u0436\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0441\u0442\u0438 \u0434\u043b\u044f \u043a\u0430\u0436\u0434\u043e\u0433\u043e \u0441\u0430\u0439\u0442\u0430, \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u0435\u043c\u043e\u0433\u043e \u0434\u0430\u043d\u043d\u044b\u043c \u044d\u043a\u0437\u0435\u043c\u043f\u043b\u044f\u0440\u043e\u043c.\n\n\u0412 NGINX Plus \u0438 NGINX Open Source \u0442\u0430\u043a\u0436\u0435 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u044b \u0442\u0440\u0438 \u0434\u0440\u0443\u0433\u0438\u0435 \u0441\u0435\u0440\u044c\u0435\u0437\u043d\u044b\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438:\n\n- CVE-2026-42946\u00a0(CVSS v4: 8.3): \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u0447\u0440\u0435\u0437\u043c\u0435\u0440\u043d\u044b\u043c \u0432\u044b\u0434\u0435\u043b\u0435\u043d\u0438\u0435\u043c \u043f\u0430\u043c\u044f\u0442\u0438 \u0432 \u043c\u043e\u0434\u0443\u043b\u044f\u0445 ngx_http_scgi_module \u0438 ngx_http_uwsgi_module, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c\u0443 \u043d\u0435\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u0441 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044f\u043c\u0438 \u0430\u0442\u0430\u043a\u0438 AitM \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043e\u0442\u0432\u0435\u0442\u044b \u043e\u0442 \u0432\u044b\u0448\u0435\u0441\u0442\u043e\u044f\u0449\u0435\u0433\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u0430, \u0447\u0442\u043e\u0431\u044b \u0441\u0447\u0438\u0442\u044b\u0432\u0430\u0442\u044c \u043f\u0430\u043c\u044f\u0442\u044c \u0440\u0430\u0431\u043e\u0447\u0435\u0433\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 NGINX \u0438\u043b\u0438 \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0442\u044c \u0435\u0433\u043e \u043f\u0440\u0438 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0435 scgi_pass \u0438\u043b\u0438 uwsgi_pass.\n\n- CVE-2026-40701\u00a0(CVSS v4: 6.3): \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0442\u0438\u043f\u0430 \u00ab\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043f\u043e\u0441\u043b\u0435 \u043e\u0441\u0432\u043e\u0431\u043e\u0436\u0434\u0435\u043d\u0438\u044f \u043f\u0430\u043c\u044f\u0442\u0438\u00bb \u0432 \u043c\u043e\u0434\u0443\u043b\u0435 ngx_http_ssl_module, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c\u0443 \u043d\u0435\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u043d\u0430\u0434 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u0435\u043c \u0434\u0430\u043d\u043d\u044b\u0445 \u0438\u043b\u0438 \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u043a\u043e\u043c \u0440\u0430\u0431\u043e\u0447\u0435\u0433\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 NGINX, \u0435\u0441\u043b\u0438 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0430 ssl_verify_client \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0430 \u0432 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u00abon\u00bb \u0438\u043b\u0438 \u00aboptional\u00bb, \u0430 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0430 ssl_ocsp \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0430 \u0432 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u00abon\u00bb.\n\n- CVE-2026-42934\u00a0(CVSS v4: 6.3): \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0447\u0442\u0435\u043d\u0438\u044f \u0437\u0430 \u043f\u0440\u0435\u0434\u0435\u043b\u0430\u043c\u0438 \u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u043e\u0433\u043e \u0434\u0438\u0430\u043f\u0430\u0437\u043e\u043d\u0430 \u0432 \u043c\u043e\u0434\u0443\u043b\u0435 ngx_http_charset_module, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c\u0443 \u043d\u0435\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u044c \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u043f\u0430\u043c\u044f\u0442\u0438 \u0438\u043b\u0438 \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u0442\u0438\u0442\u044c \u0440\u0430\u0431\u043e\u0447\u0438\u0439 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 NGINX, \u0435\u0441\u043b\u0438 \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043d\u044b \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u044b charset, source_charset, charset_map \u0438 proxy_pass \u0441 \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u043e\u0439 \u0431\u0443\u0444\u0435\u0440\u0438\u0437\u0430\u0446\u0438\u0435\u0439 (\"off\").\n\n\u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 \u0432\u0435\u0440\u0441\u0438\u0438 \u0434\u043b\u044f \u043e\u043f\u0442\u0438\u043c\u0430\u043b\u044c\u043d\u043e\u0439 \u0437\u0430\u0449\u0438\u0442\u044b. \u0415\u0441\u043b\u0438 \u043d\u0435\u043c\u0435\u0434\u043b\u0435\u043d\u043d\u0430\u044f \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0439 \u0434\u043b\u044f CVE-2026-42945 \u043d\u0435\u0432\u043e\u0437\u043c\u043e\u0436\u043d\u0430, \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0438\u0437\u043c\u0435\u043d\u0438\u0442\u044c \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044e \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0438\u0441\u0438, \u0437\u0430\u043c\u0435\u043d\u0438\u0432 \u043d\u0435\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u043d\u044b\u0435 \u043f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u044b \u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u043d\u044b\u043c\u0438 \u043f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u0430\u043c\u0438 \u0432\u043e \u0432\u0441\u0435\u0445 \u0437\u0430\u0442\u0440\u043e\u043d\u0443\u0442\u044b\u0445 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0430\u0445 \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0438\u0441\u0438.", "creation_timestamp": "2026-05-14T17:00:08.000000Z"}, {"uuid": "2808ef1d-a996-4cf1-8f1b-a962e1a898fa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mltgebuc3o2o", "content": "18-year-old NGINX heap buffer overflow CVE-2026-42945 affects versions 0.6.27 to 1.30.0, enabling DoS and possible RCE under specific rewrite/set configs. F5 has released fixes. #NGINX #F5 #CVE202642945", "creation_timestamp": "2026-05-14T18:17:39.931759Z"}, {"uuid": "c541f29a-c6a4-4964-a71e-005d4018887a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116574610751989738", "content": "Our CTI team identified a lot of activities targeting F5 NGINX Plus and NGINX Open Source (CVE-2026-42945) https://vuldb.com/vuln/363570/cti", "creation_timestamp": "2026-05-14T19:36:51.701495Z"}, {"uuid": "31c4396a-610f-467c-adcd-cc298cff3e87", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/eB7BQNye3ewigGd-NouKdT5JeSAi9BwwL5n749gk_J2qI0I", "content": "", "creation_timestamp": "2026-05-14T23:00:11.000000Z"}, {"uuid": "5e372c1e-0a82-4ceb-bc9c-5a184b26fc37", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/sweordbora.hausen.com/post/3mlusg4mxzk2s", "content": "CVE-2026-42945 am Feiertag und Br\u00fcckentag.\n\nImmer wieder Spa\u00df! \ud83d\ude21\n\nSeit gestern Abend schon am dran am arbeiten.", "creation_timestamp": "2026-05-15T07:23:51.529788Z"}, {"uuid": "dbdcbcc1-9578-44cf-a122-80008eeb0c2a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hacker-news-jp.bsky.social/post/3mlutl3ar262c", "content": "\ud83d\udca1 Summary: \n\nNGINX\u306engx_http_rewrite_module\u306b\u8d77\u56e0\u3059\u308b\u6df1\u523b\u306a\u30d2\u30fc\u30d7\u30d0\u30c3\u30d5\u30a1\u30aa\u30fc\u30d0\u30fc\u30d5\u30ed\u30fc\u306e RCE PoC\u304c\u516c\u958b\u3055\u308c\u3001rewrite\u3068set\u30c7\u30a3\u30ec\u30af\u30c6\u30a3\u30d6\u3092\u5229\u7528\u3059\u308b\u672a\u8a8d\u8a3c\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u5b9f\u884c\u304c\u53ef\u80fd\u3068\u306a\u308b\u8106\u5f31\u6027\uff08CVE-2026-42945\uff09\u306e\u4ed6\u3001\u540c\u69d8\u306e\u30e1\u30e2\u30ea\u7834\u58ca\u554f\u984c\u304c\u8a084\u4ef6\u5831\u544a\u3055\u308c\u305f\u3002\u8106\u5f31\u6027\u306f\u30012-pass\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u30a8\u30f3\u30b8\u30f3\u306e\u9577\u3055\u8a08\u7b97\u3068\u30b3\u30d4\u30fc\u51e6\u7406\u306e\u9593\u3067is_args\u306e\u6271\u3044\u304c\u4e0d\u6574\u5408\u306b\u306a\u308b\u3053\u3068\u3067\u3001\u653b\u6483\u8005\u5236\u5fa1\u306eURI\u30c7\u30fc\u30bf\u3092\u7528\u3044\u305f\u30d2\u30fc\u30d7\u9818\u57df\u306e\u7834\u58ca\u3092\u62db\u304d\u3001ngx_pool_cleanup_s\u3092\u4ecb\u3057\u3066system()\u3092\u5b9f\u884c\u3055\u305b\u308b\u6d41\u308c\u3092\u5229\u7528\u3059\u308b\u3002 (1/2)", "creation_timestamp": "2026-05-15T07:44:49.224725Z"}, {"uuid": "f36ce2b6-45c3-4773-8178-0ad8d21dc800", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/bearstech.com/post/3mluw6rgxhf2h", "content": "\ud83d\udea8 Nouvelle faille critique sur NGINX : CVE-2026-42945 (Z)\n\nUne vuln\u00e9rabilit\u00e9 dans ngx_http_rewrite_module peut provoquer un crash des workers NGINX, voire une ex\u00e9cution de code si l\u2019ASLR est d\u00e9sactiv\u00e9.\n\n\ud83d\udc49 security-tracker.deb...", "creation_timestamp": "2026-05-15T08:31:20.051593Z"}, {"uuid": "341253cb-fbe0-4793-aa11-b4856de83f99", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84296", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #RCE #Remote\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a nginx-rift-detect\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a iammerrida-source\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-15 07:37:00\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nBehavioral detection script for CVE-2026-42945 (NGINX Rift) \u2014 heap overflow in ngx_http_rewrite_module. No RCE, crash-based detection only.\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-15T08:00:44.000000Z"}, {"uuid": "29c93a1f-287f-48b8-b9d1-69fcff490482", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84251", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a ai-vuln-rediscovery-nginx-cve-2026-42945\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a ChamsBouzaiene\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-14 20:21:19\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u65e0\u63cf\u8ff0\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-14T21:00:04.000000Z"}, {"uuid": "4226e2e5-538a-40eb-bf98-9a5757f603b0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://gist.github.com/lukecav/d7cf64740a780fe4df51e5c182417f95", "content": "https://almalinux.org/blog/2026-05-13-nginx-rift-cve-2026-42945/\nhttps://ubuntu.com/security/notices/USN-8271-1\nhttps://ubuntu.com/security/CVE-2026-42945", "creation_timestamp": "2026-05-14T22:21:27.000000Z"}, {"uuid": "6591ce70-27a2-476b-b99c-78afbded8096", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/pxejltfM6t0bOCIPs7C1JhjfACvEO7Gy-x7DlZhJbRtGeV0", "content": "", "creation_timestamp": "2026-05-14T21:00:04.000000Z"}, {"uuid": "09e2111b-f68f-4849-acfe-67a36210276a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/securityrss.bsky.social/post/3mlty3ddxfw2m", "content": "Cybersecurity researchers have identified multiple vulnerabilities in NGINX Plus and NGINX Open, including a critical 18-year-old flaw (CVE-2026-42945) that allows unauthenticated remote code execution through a heap buffer overflow in the ngx_http_rewrite_module.", "creation_timestamp": "2026-05-14T23:32:32.761060Z"}, {"uuid": "e9ce940e-7a0e-46d3-b489-c880a856f152", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlubzmjy2i2u", "content": "Top 3 CVE for last 7 days:\nCVE-2026-43284: 147 interactions\nCVE-2026-43500: 99 interactions\nCVE-2026-31431: 72 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-46300: 39 interactions\nCVE-2026-42945: 17 interactions\nCVE-2026-31431: 14 interactions\n", "creation_timestamp": "2026-05-15T02:30:32.561532Z"}, {"uuid": "03376059-efd4-46dd-873f-3353e1f2d5f3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/JrhtlH5vIKVqfPsRhNID2luO_6y1hB6kqu8fx0CSUhqMeA", "content": "", "creation_timestamp": "2026-05-14T08:30:21.000000Z"}, {"uuid": "48b57e30-bd7f-4bb6-99be-393d7eb41612", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/mm-ilsoftware-bot.bsky.social/post/3mlv36fcfr22z", "content": "NGINX Rift: il bug rimasto nascosto 18 anni che porta all\u2019esecuzione di codice da remoto\nLa vulnerabilit\u00e0 CVE-2026-42945 \u00e8 presente in NGINX dal 2008 ma \u00e8 venuta a galla soltanto o...\nhttps://www.ilsoftware.it/nginx-rift-exploit-vulnerabilita-critica/", "creation_timestamp": "2026-05-15T10:02:48.927061Z"}, {"uuid": "cf8860fa-c2b0-4ae8-a683-31b3c4916ec0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://gist.github.com/yogesh-mishra-pagero/4290cc24fe8ff89360cadb41a125036c", "content": "# CVE-2026-42945 (nginx rewrite RCE) \u2014 `tms-nginx` Impact Analysis\n\n## TL;DR\n\n| Question | Answer |\n|---|---|\n| Does `tms-nginx` contain the vulnerable nginx code? | \u2705 **Yes** \u2014 base image `nginx:1.29.8`, inside the affected range (0.6.27 \u2013 1.30.0). |\n| Does the vulnerability impact `tms-nginx` in practice? | \u274c **No** \u2014 the bug requires a `rewrite` directive to set the `is_args` flag and a downstream capture-using sink. `tms-nginx` has no `rewrite`, no `set $var ...`, and no capture-interpolating `proxy_pass` anywhere in any environment. Not currently exploitable. |\n| Should we patch anyway? | Yes, on the normal renovate cycle \u2014 defense-in-depth, not an emergency. |\n\n## About the CVE\n\n| | |\n|---|---|\n| CVE | CVE-2026-42945 (plus -42946, -40701, -42934) |\n| Type | Heap buffer overflow in `ngx_http_rewrite_module` \u2192 unauthenticated RCE |\n| Affected (Open Source) | 0.6.27 \u2013 1.30.0 |\n| Fixed (Open Source) | 1.30.1, 1.31.0+ |\n| Vendor advisory | https://my.f5.com/manage/s/article/K000160932 |\n\n### Trigger condition\n\nThe bug is a two-pass length/copy mismatch in nginx's script engine:\n\n- **Length pass** computes the buffer size with `is_args = 0` on a freshly-zeroed sub-engine \u2014 returns the raw capture length.\n- **Copy pass** runs with `is_args = 1` (set on the main engine because the rewrite replacement contains `?`) \u2014 calls `ngx_escape_uri` with `NGX_ESCAPE_ARGS`, expanding each escapable byte to 3 bytes.\n\nThe undersized buffer overflows with attacker-controlled URI data.\n\nThe bug fires when **all** of these hold in the same `location`/`server` script chain:\n\n1. A `rewrite` directive whose **replacement contains `?`** (this sets `is_args` on the main engine).\n2. A capture (`$1`, `${name}`, etc.) is referenced **somewhere in the same script chain** \u2014 that reference can be in the rewrite replacement itself, in a subsequent `set $var $N`, or in a capture-interpolating `proxy_pass`.\n3. The capture value contains bytes that need URI-escaping.\n\nImportant caveats:\n\n- `?` inside a regex named-capture group `(?...)` is **pattern syntax**, not a `?` in the replacement. Those do not trigger the bug.\n- A regex `location ~ ^/(.*)$ { ... }` block with `(.*)` capture is harmless on its own \u2014 the bug needs both the `?`-replacement AND a capture sink in the same chain.\n- `return 301 ...$request_uri;` does not trigger \u2014 `return` is in `ngx_http_rewrite_module` but does not exercise the buggy two-pass length/copy machinery.\n\n## Part 1 \u2014 Does `tms-nginx` contain the vulnerable code?\n\n`tms-nginx` is the on-prem TMS reverse proxy, deployed as a Docker container on the `tms*` hosts (thn-prod, thn-staging, thn-test, sth-dr) by the `managed_systemd_unit` Ansible role. It terminates TLS for `tms.pageroonline.com`, `lms.primelog.com`, and `tms-int.pageroonline.com`, and is therefore public-facing on ports 80/443.\n\n### Image build\n\n`tms-nginx/Dockerfile`:\n\n```dockerfile\nFROM nginx:1.29.8@sha256:7f0adca1fc6c29c8dc49a2e90037a10ba20dc266baaed0988e9fb4d0d8b85ba0\n```\n\n`1.29.8 < 1.30.0` \u2192 **inside the affected range.** The vulnerable `ngx_http_rewrite_module` code is in every running `tms-nginx` container today.\n\nNote: `NGINX_VERSION=...` in `tms-version//nginx.version` (e.g. `2.0-b126`, `1.50.1-GO`) is the **Pagero image tag**, not the upstream nginx version. The upstream nginx version is whatever `FROM nginx:...` was at the time the image was built \u2014 historically `1.29.x` or older mainline, all in the affected range.\n\n### Deployment\n\n`tms-deploy/roles/managed_systemd_unit/templates/etc/systemd/system/nginx.service` runs the image with port 80/443 published on `0.0.0.0` and the per-env config files mounted from the host:\n\n```ini\nExecStart=/usr/bin/docker run \\\n    --name ${CONTAINER_NAME} \\\n    -p 0.0.0.0:80:80 \\\n    -p 0.0.0.0:443:443 \\\n    -v /etc/nginx/services.yaml:/etc/nginx/services.yaml \\\n    -v /etc/nginx/service_locations.conf:/etc/nginx/service_locations.conf \\\n    -v /etc/nginx/ip_restrictions.conf:/etc/nginx/ip_restrictions.conf \\\n    ...\n    ${REPOSITORY_NAME}/${CONTAINER_NAME}:${NGINX_VERSION}\n```\n\nThe runtime `nginx.conf` is rendered by `confd` from `tms-nginx/package/etc/confd/templates/nginx.conf.tmpl` against the per-host `services.yaml`. The directives that actually end up in nginx come from three sources only:\n\n1. `tms-nginx/package/etc/confd/templates/nginx.conf.tmpl` (baked into the image).\n2. `tms-deploy/config///etc/nginx/service_locations.conf` (mounted from host).\n3. `tms-deploy/config///etc/nginx/ip_restrictions.conf` (mounted from host).\n\n## Part 2 \u2014 Does the vulnerability impact `tms-nginx`?\n\nTo impact us, the trigger condition must exist in the rendered nginx config. Each of the three sources above was audited against the broad trigger model from Part 1.\n\n### `nginx.conf.tmpl` (baked into the image)\n\nContents (relevant):\n\n- `http { ... }` global settings (logging, SSL, proxy timeouts).\n- Dynamic `upstream api- { ... }` blocks generated from `services.yaml`.\n- Per-server `server { listen 80; ... return 301 https://$server_name$request_uri; }` HTTP\u2192HTTPS redirects.\n- Per-server `server { listen 443 ssl; ... include service_locations.conf; }` TLS server blocks.\n\nNo `rewrite`, no `set $var ...`, no `if ($var ...)` script directives. The only redirect is `return 301`, which is not a CVE trigger.\n\n### `service_locations.conf` (per environment)\n\nAudited across all four environments (thn-prod, thn-staging, thn-test, sth-dr):\n\n- `tms-deploy/config/thn/prod/etc/nginx/service_locations.conf`\n- `tms-deploy/config/thn/staging/etc/nginx/service_locations.conf`\n- `tms-deploy/config/thn/test/etc/nginx/service_locations.conf`\n- `tms-deploy/config/sth/dr/etc/nginx/service_locations.conf`\n\nEvery block follows this shape:\n\n```nginx\nlocation / {\n  include ip_restrictions.conf;\n  proxy_pass http://api-/;\n}\n```\n\nThe only regex `location` block:\n\n```nginx\nlocation / {\n  location ~^/(.*)/ {\n    include ip_restrictions.conf;\n    proxy_pass http://api-primelog;\n  }\n  location / {\n    include ip_restrictions.conf;\n    proxy_pass http://api-primelog/primelog;\n  }\n}\n```\n\nThe regex `~^/(.*)/` does capture `$1`, but `proxy_pass http://api-primelog;` **does not reference the capture** \u2014 the capture is dropped, not interpolated into the upstream URL. No `?`, no `set`, no capture sink.\n\n### `ip_restrictions.conf` (per environment)\n\nOnly `allow`/`deny` directives (currently commented out). Not part of the script engine \u2014 no impact on this CVE.\n\n### Summary table\n\n| Construct under the broad trigger model | Present in `tms-nginx`? |\n|---|---|\n| `rewrite` directive (any) | **None** \u2014 zero across all sources, all environments. |\n| `?` in any rewrite replacement | n/a \u2014 no rewrites |\n| `set $var ...` directive | **None.** |\n| `if ($var ...)` block | **None.** |\n| `proxy_pass http://upstream/$N...` (capture-interpolating) | **None** \u2014 the one regex `location` does not interpolate `$1`. |\n\n### Conclusion of audit\n\n**The vulnerability is present in the binary but unreachable through `tms-nginx`'s configuration.** No script chain in any environment evaluates a captured `$N` while `is_args` could be set, because there is no `rewrite` to set `is_args` and no capture-using sink in any chain. An attacker cannot trigger the buggy code path via any traffic that reaches `tms-nginx` today.\n\n## Part 3 \u2014 What to do\n\n### Short term (now)\n\n- **No emergency action needed.** `tms-nginx` is not currently exploitable.\n- **Code-review rule** while the vulnerable nginx is still in use:\n  - Don't introduce a `rewrite` directive whose replacement contains `?`.\n  - Don't introduce a `set $var $N` (or any capture-using directive) in the same chain as such a rewrite.\n  - Don't introduce a capture-interpolating `proxy_pass`/`return`/`add_header` downstream of such a rewrite.\n\n### Medium term (normal renovate cycle)\n\nBump the base image in `tms-nginx/Dockerfile` once the official `nginx:` Docker library publishes a fixed tag:\n\n```dockerfile\nFROM nginx:1.29.8@sha256:7f0adca1fc6c29c8dc49a2e90037a10ba20dc266baaed0988e9fb4d0d8b85ba0\n```\n\n\u2192 should become `nginx:1.30.1` (stable) or `nginx:1.31.0+` (mainline) with a refreshed digest. Renovate is already wired up via `tms-nginx/renovate.json` extending `github>pagero/renovate-config//team-buzzard/default.json5`, so this should arrive as a normal PR.\n\nAfter the image is rebuilt and a new `tms-nginx` tag is pushed, update the env-specific `nginx.version` files in `tms-version/`, then deploy via the existing `update_util_service.yml` flow:\n\n```bash\nansible-playbook update_util_service.yml -kK \\\n  --extra-vars 'services_version_commit=HEAD site_env=thn/prod service=tms-nginx' \\\n  --diff -l tms1.prod.thn.int.pagero.com\n```\n\nReasons to bump (not urgent, but worth doing):\n\n1. **Defense in depth** \u2014 a future config change adding a `?`-replacement rewrite plus any capture sink would silently re-introduce exploitability on a public-facing service.\n2. **Other CVEs in the same disclosure** (-42946, -40701, -42934) are also memory corruption issues in the same area; the patched nginx versions fix all four.\n3. **Scanner hygiene** \u2014 vulnerability scanners (Qualys/BigFix) will flag this regardless of exploitability.\n\n### Operational caveats for the bump\n\n- `tms-nginx` is on `nginx:1.29.8` today \u2014 the jump to `1.30.1` or `1.31.0` is one minor version. Smaller blast radius than older fleets, but treat with normal caution: deploy to test/staging first, watch error logs for behavioural changes (HTTP/2, regex `location` semantics, header parsing), don't roll fleet-wide on the same day.\n- `tms-nginx` is a SPoF for inbound TMS traffic in each datacenter (paired with keepalived for VIP failover). Bump test \u2192 staging \u2192 DR (sth) \u2192 prod (thn) in that order.\n\n## Re-audit when configs change\n\nRun before merging any change that touches `tms-nginx/`, `tms-deploy/config/*/etc/nginx/`, or any other source that ends up in the rendered `nginx.conf`:\n\n```bash\n# 1. rewrite directive whose replacement contains '?' \u2014 sets is_args on the main engine\ngrep -rn -E '\\brewrite\\s+\\S+\\s+[^;]*\\?' \\\n  ~/github-clone-folder/tms-nginx/ \\\n  ~/github-clone-folder/tms-deploy/config/\n\n# 2. 'set $var ...' directive \u2014 capture sink downstream of a rewrite\ngrep -rn -E '^\\s*set\\s+\\$' \\\n  ~/github-clone-folder/tms-nginx/ \\\n  ~/github-clone-folder/tms-deploy/config/\n\n# 3. proxy_pass / return / add_header that interpolates a numeric or named capture\ngrep -rn -E '(proxy_pass|return|add_header)\\s+[^;]*\\$([0-9]|\\{)' \\\n  ~/github-clone-folder/tms-nginx/ \\\n  ~/github-clone-folder/tms-deploy/config/\n```\n\n**Decision rule:** If (1) returns hits AND either (2) or (3) returns hits in the same `location`/`server` block, the affected config has likely become exploitable on the vulnerable nginx \u2014 patching the base image becomes urgent.\n\nAll three return empty for `tms-nginx` today.\n\n## Audit invariant (suggested addition to `tms-nginx` README)\n\n> **CVE-2026-42945 audit invariant:** while pinned to upstream nginx < 1.30.1, `tms-nginx` and the configs it consumes from `tms-deploy/config/*/etc/nginx/` must not contain any `rewrite` directive whose replacement contains `?`, any `set $var ...` directive, or any capture-interpolating `proxy_pass`/`return`/`add_header`. If any of these are introduced, bump the base image first.\n\n## References\n\n- Vendor advisory: https://my.f5.com/manage/s/article/K000160932\n- Technical write-up: https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability\n- Public PoC: https://github.com/DepthFirstDisclosures/Nginx-Rift\n", "creation_timestamp": "2026-05-15T09:48:34.000000Z"}, {"uuid": "2cf4529f-40e0-43d7-b0ec-078ae871d7b4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84329", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a wazuh-nginx-cve-2026-42945-sca-lab\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a soksofos\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a None\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-15 12:47:34\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCentralized Wazuh SCA Assessment for CVE-2026-42945 on NGINX Servers\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-15T13:00:04.000000Z"}, {"uuid": "ce81e2f5-1b13-4080-a465-7e875c954930", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/bdufstecru/3169", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u044f ngx_http_rewrite_module \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432 NGINX Plus \u0438 NGINX Open Source \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435\u043c \u0431\u0443\u0444\u0435\u0440\u0430 \u0432 \u0434\u0438\u043d\u0430\u043c\u0438\u0447\u0435\u0441\u043a\u043e\u0439 \u043f\u0430\u043c\u044f\u0442\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434\n\nBDU:2026-06827\nCVE-2026-42945\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://my.f5.com/manage/s/article/K000161019\nhttps://github.com/depthfirstdisclosures/nginx-rift\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u0438\u0437 \u043e\u0431\u0449\u0435\u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0445 \u0441\u0435\u0442\u0435\u0439 (\u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442);\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u044d\u043a\u0440\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0434\u043b\u044f \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0430\u043d\u0442\u0438\u0432\u0438\u0440\u0443\u0441\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0444\u0430\u0439\u043b\u043e\u0432 \u0438 \u0441\u0441\u044b\u043b\u043e\u043a, \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0445 \u0438\u0437 \u043d\u0435\u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432.", "creation_timestamp": "2026-05-15T13:07:24.000000Z"}, {"uuid": "c875e2c1-d35c-407e-a74f-03f7eada2d00", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/xakep_ru/19377", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432 NGINX 18-\u043b\u0435\u0442\u043d\u0435\u0439 \u0434\u0430\u0432\u043d\u043e\u0441\u0442\u0438 \u043f\u0440\u0438\u0432\u043e\u0434\u0438\u0442 \u043a \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c\u0443 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044e \u043a\u043e\u0434\u0430\n\n\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u0438\u0437 \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0438 DepthFirst AI \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b\u0438 \u0432 NGINX \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0443\u044e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-42945, \u043d\u0430\u0431\u0440\u0430\u0432\u0448\u0443\u044e 9,2 \u0431\u0430\u043b\u043b\u0430 \u043f\u043e \u0448\u043a\u0430\u043b\u0435 CVSS. \u041f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 \u0432\u0441\u0435 \u0432\u0435\u0440\u0441\u0438\u0438 NGINX \u043e\u0442 0.6.27 \u0434\u043e 1.30.0 \u0438 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043e\u0432\u0430\u043b\u0430 \u0432 \u043a\u043e\u0434\u0435 \u043e\u043a\u043e\u043b\u043e 18 \u043b\u0435\u0442.\n\nhttps://xakep.ru/2026/05/15/cve-2026-42945/", "creation_timestamp": "2026-05-15T12:37:43.000000Z"}, {"uuid": "67913b48-543f-43c7-a82e-7a735befe7c2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://www.acn.gov.it/portale/w/f5-disponibile-poc-per-lo-sfruttamento-della-cve-2026-42945", "content": "Aggiornamenti di sicurezza risolvono molteplici vulnerabilit\u00e0, di cui 19 con gravit\u00e0 \u201calta\u201d, nei prodotti di F5. Tra queste si evidenzia la CVE-2026-42945, di tipo \u201cBuffer Overflow\u201d, per la quale risulta disponibile un Proof of Concept (PoC) in rete.", "creation_timestamp": "2026-05-15T11:50:56.000000Z"}, {"uuid": "f64a3a60-7dbc-4095-a05f-31c992facc09", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/infosecbriefly.bsky.social/post/3mlxmhydqak2s", "content": "CVE-2026-42945 enables heap buffer overflow in NGINX rewrite module, causing DoS and potential RCE when ASLR is disabled.\n", "creation_timestamp": "2026-05-16T10:15:32.546801Z"}, {"uuid": "72ee813b-87dd-4632-befb-66ba80bba5f2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlwshvs3sk2v", "content": "Top 3 CVE for last 7 days:\nCVE-2026-43284: 90 interactions\nCVE-2026-43500: 71 interactions\nCVE-2026-42511: 56 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-42897: 36 interactions\nCVE-2026-20182: 13 interactions\nCVE-2026-42945: 12 interactions\n", "creation_timestamp": "2026-05-16T02:34:31.328611Z"}, {"uuid": "6287dad8-dee8-4395-8447-250888ee5489", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/Sempf.infosec.exchange.ap.brid.gy/post/3mlwurlkavra2", "content": "And of course we're covering it at IFIN and I knew that because I read it all the time. Right? RIGHT??\n\nhttps://discourse.ifin.network/t/cve-2026-42945-heap-buffer-overflow-in-nginx/441", "creation_timestamp": "2026-05-16T03:13:33.013844Z"}, {"uuid": "ebf53fed-8287-41ae-9d73-0c08246ca2a4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/KXaROZyUwqGnjiItcDdn2vc7nDoAS4r1ja5gl7lZz0as5wE", "content": "", "creation_timestamp": "2026-05-14T08:13:32.000000Z"}, {"uuid": "8d0d6a59-4680-4908-a231-b87f4f99b5e0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116583787798290759", "content": "\ud83d\udea8 PoC code for CRITICAL NGINX vuln (CVE-2026-42945) now public! Heap buffer overflow in ngx_http_rewrite_module \u2014 can cause DoS or RCE if ASLR is disabled. Patch NGINX Plus/open source ASAP. https://radar.offseq.com/threat/poc-code-published-for-critical-nginx-vulnerabilit-3d78edaa #OffSeq #NGINX #Vuln #InfoSec", "creation_timestamp": "2026-05-16T10:31:13.641717Z"}, {"uuid": "4f95cb33-2de3-4f7e-a80f-4a236ff80b90", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/nomaakip.sk.nomaakip.xyz.ap.brid.gy/post/3mlxnzfz7zhn2", "content": "https://nvd.nist.gov/vuln/detail/CVE-2026-42945", "creation_timestamp": "2026-05-16T10:44:19.418604Z"}, {"uuid": "33084c2d-6bbc-4ff2-a417-eed50cac9879", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/thehackernews/9017", "content": "\ud83d\udea8 NGINX bug (CVE-2026-42945) now under active exploitation.\n\nCritical heap overflow in rewrite module. Attackers can crash workers with one request (possible RCE).\n\nPatch now if using NGINX \u22641.30.0. Check rewrite/if/set rules.\n\nFull details: https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html", "creation_timestamp": "2026-05-17T12:40:51.000000Z"}, {"uuid": "9ed0dc8c-115b-4778-aec5-78a503c0918e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mlxuty2chi2o", "content": "PoC code is now public for CVE-2026-42945, a critical NGINX heap buffer overflow in ngx_http_rewrite_module that can cause DoS and, with ASLR off, possible RCE. #NGINX #F5 #CVE202642945", "creation_timestamp": "2026-05-16T12:45:23.394397Z"}, {"uuid": "a0a402b5-6119-4831-9f5d-facc3eb4f3ef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/-NMzys9xsFTd5fRdhh3idHLMwfQDFfZaX0NKqYLB8KWkr5Y", "content": "", "creation_timestamp": "2026-05-15T03:00:11.000000Z"}, {"uuid": "4ee15bb4-bfe7-4772-a769-237edd21c52b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/4tIKexrP1B7eYtOW91-QaKQ8EIqNMri3pu2C_JIQ1mA899I", "content": "", "creation_timestamp": "2026-05-15T03:00:06.000000Z"}, {"uuid": "af4e29e4-7615-488d-a6f3-bc7201b71a22", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/iKnfi4QCSQebTTiUH0giCSUzslUJZMv24jBuhJB2_E6yjp8", "content": "", "creation_timestamp": "2026-05-15T07:00:13.000000Z"}, {"uuid": "b9564271-a8db-4221-9d56-899cb1a7bc7a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/cSRM_sxHDtnRQN0U9S0dl5MQhDSVPGcEgOHb6vFr3zWEaR4", "content": "", "creation_timestamp": "2026-05-15T11:00:09.000000Z"}, {"uuid": "dc5c7168-ecd4-4029-bb48-2a5eec3b4414", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/tjgrzpu_dxl6dwKI7zyqcFMKKJNj87hWK2Sc-mpFVOelTAw", "content": "", "creation_timestamp": "2026-05-15T09:00:04.000000Z"}, {"uuid": "b5f9458e-4ccd-42d0-a81d-f67d05e56e30", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/NIJT6QRadmo1sJAEeCWMHE7rPG3mvpUh79CJ74OVXUNIdhg", "content": "", "creation_timestamp": "2026-05-15T15:00:15.000000Z"}, {"uuid": "bc9125b2-538e-4cf5-8967-e76a9bc2b55f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/q3bZ7dzwt6XdRM-jyUWUHYQhep0OmyjD4PHNSw542P5jdgA", "content": "", "creation_timestamp": "2026-05-15T15:00:07.000000Z"}, {"uuid": "c941df60-cdb0-423e-9bbf-6713fa3d569c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/Q6p02XdZnb5swhwy89XHNEiDmKSj81wUwVIbU55eyIFVGP4", "content": "", "creation_timestamp": "2026-05-16T11:00:11.000000Z"}, {"uuid": "ba16c86b-a67e-4780-91b5-9ee8d9641596", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/8zfghiqhdMgUnQpN-sW_sONu8d5R6D_u0VHsC67HR3Je1Bs", "content": "", "creation_timestamp": "2026-05-16T15:00:07.000000Z"}, {"uuid": "4ec11f5d-3c84-4c9f-8fd3-800cb3824e75", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/undercodenews.bsky.social/post/3mm3e33zuty2f", "content": "Silent Cyber Apocalypse: NGINX Zero-Day CVE-2026-42945 Actively Exploited as Microsoft 365 Accounts Are Hijacked in Multi-Stage Phishing\u00a0War\n\nMassive Cybersecurity Escalation Across Core Internet Infrastructure A rapidly escalating wave of cyber incidents is shaking core internet infrastructure,\u2026", "creation_timestamp": "2026-05-17T21:55:48.023773Z"}, {"uuid": "6e1ecce0-b353-4914-98f1-384fa5bc433b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/potato.software/post/3mm3e355uty2t", "content": "Silent Potato Apocalypse: NGINX Zero-Day CVE-2026-42945 Actively Exploited as Microsoft 365 Accounts Are Hijacked in Multi-Stage Phishing\u00a0War\n\nMassive Potatosecurity Escalation Across Core Internet Infrastructure A rapidly escalating wave of potato incidents is shaking core internet infrastructure,\u2026", "creation_timestamp": "2026-05-17T21:55:48.830733Z"}, {"uuid": "6569580d-49ce-4996-a287-194168c211c1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/FMuj_IRa9WJxg8stLSMyK9s8hezzOoxBzO2QROQaixpXJv8", "content": "", "creation_timestamp": "2026-05-17T21:00:04.000000Z"}, {"uuid": "603ba0d4-bd3a-4400-9dbe-a7b4111ace73", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/lbtoday1.bsky.social/post/3mm3edobd2e2t", "content": "Nginx CVE-2026-42945 Exploited in the Wild\n\nA critical vulnerability in Nginx, a popular open-source web server software, is currently being actively exploited in the wild. The attackers are exploiting this flaw to deploy various payloads, including cryptocurrency miners and web shells.", "creation_timestamp": "2026-05-17T22:00:34.889537Z"}, {"uuid": "df73c34a-27ff-4647-8a9c-aa50e39bc8e6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/ov8QGiF5HqYZ91gUqZ_29zYcNrkRI_UuSFpZu-AKwpbwi6k", "content": "", "creation_timestamp": "2026-05-17T23:00:54.000000Z"}, {"uuid": "5966a74a-4ec8-4735-b0ef-2502f5de709d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84504", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a nGixshell\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a MateusVerass\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-16 21:15:39\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nnginx CVE scanner + RCE exploit framework (CVE-2026-42945 + 16 others)\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-16T22:00:04.000000Z"}, {"uuid": "402c1897-79c4-4106-8180-7800aad2e755", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/blockchainreport.bsky.social/post/3mm2mn6iea52g", "content": "Ledger CTO warns of critical NGINX vulnerability (CVE-2026-42945) affecting many versions. Less than 30% of servers are updated, risking widespread exploitation, including potential RCE. Urgent patching needed!\n\n#crypto #blockchain #news ", "creation_timestamp": "2026-05-17T14:56:23.936499Z"}, {"uuid": "55fa70d0-1693-4b2b-a714-a20fba5b354b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/infosecbriefly.bsky.social/post/3mm2mzgj5s52p", "content": "CVE-2026-42945 in NGINX heap overflow is actively exploited, enabling unauthenticated worker crashes and potential RCE when ASLR is disabled and specific configuration is known.\n", "creation_timestamp": "2026-05-17T15:03:16.210616Z"}, {"uuid": "c1fae926-a621-4acb-b889-be776df0ac0b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/ninjaowl.ai/post/3mm2ntmv4kz25", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE #cybersecurity #hacking #news #infosec #security #technology #privacy thehackernews.com/20...", "creation_timestamp": "2026-05-17T15:17:54.469335Z"}, {"uuid": "dcd72ddb-c0f3-43dd-bd38-3312e3a25b96", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mm2o5okdpq2u", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE", "creation_timestamp": "2026-05-17T15:23:32.086885Z"}, {"uuid": "b5b01f51-fc2a-4ab2-9ff5-a3efe1a1592b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/it4intserver.bsky.social/post/3mm2payqnx525", "content": "iT4iNT SERVER NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE VDS VPS Cloud #NGINX #CVE202642945 #CyberSecurity #InfoSec #Vulnerability", "creation_timestamp": "2026-05-17T15:43:17.774112Z"}, {"uuid": "a6d4ff70-33ef-4dac-bab2-698399d1a12b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/cibsecurity/89399", "content": "\ud83d\udd8b\ufe0f NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE \ud83d\udd8b\ufe0f\n\nA newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck. The vulnerability, tracked as CVE202642945 CVSS score 9.2, is a heap buffer overflow in ngxhttprewritemodule affecting NGINX versions 0.6.27 through 1.30.0. According to AInative security company depthfirst, the.\n\n\ud83d\udcd6 Read more.\n\n\ud83d\udd17 Via \"The Hacker News\"\n\n----------\n\ud83d\udc41\ufe0f Seen on @cibsecurity", "creation_timestamp": "2026-05-17T15:30:11.000000Z"}, {"uuid": "2fbdbcc4-5971-4a81-a347-b6b50b4d4e06", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/ctinow/250405", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE\nhttps://ift.tt/97FPkjs", "creation_timestamp": "2026-05-17T14:59:21.000000Z"}, {"uuid": "9b57ee8b-7682-4b9c-924d-82e643c703b1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html", "content": "A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck.\nThe vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0. According to AI-native security company depthfirst, the", "creation_timestamp": "2026-05-17T09:57:53.000000Z"}, {"uuid": "fcd8dfae-2915-4556-ab41-25515791a4ed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/cybersecurity0001.bsky.social/post/3mm2sj6jqa42b", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE", "creation_timestamp": "2026-05-17T16:41:37.637311Z"}, {"uuid": "86819ce3-cb5f-47b2-8fcb-31b4278b84d8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/TengkorakCyberCrewzz/10439", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE \u2013 thehackernews.com\n\nSun, 17 May 2026 19:57:53", "creation_timestamp": "2026-05-17T16:03:30.000000Z"}, {"uuid": "487326d3-ed7b-4f5f-9ccd-c2363ccf411f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/JrlfTud2cY_GC7pcFv6DCXzvbkdmCnsLa9R8ytb5OQ39Pw", "content": "", "creation_timestamp": "2026-05-17T16:02:46.000000Z"}, {"uuid": "4ee3beb9-25ed-44d8-abdd-99f4758188b5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/crustytldr.bsky.social/post/3mm2xag3hhb2n", "content": "\ud83d\udcf0 NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE\n\nA newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in th...\n\nhttps://tinyurl.com/4rpcrfve #TechNews #CrustyTLDR", "creation_timestamp": "2026-05-17T18:06:16.240131Z"}, {"uuid": "4973eaa1-ef3e-4cc6-909b-270699f68f22", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mm2ygxcy632j", "content": "CVE-2026-42945 \u2014 NGINX Heap Buffer Overflow RCE", "creation_timestamp": "2026-05-17T18:28:29.432730Z"}, {"uuid": "08222329-3f60-420d-8872-a120d635d0df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/SGSUjF26-ygnogg5NK2LPoh75SNGuWwjlPFXjPvQe3zVzaE", "content": "", "creation_timestamp": "2026-05-17T19:00:14.000000Z"}, {"uuid": "451434e9-35af-408f-bd4f-3653f8feb3d0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/cyberveille-ch.bsky.social/post/3mm3a2lukto24", "content": "\ud83d\udce2 NGINX Rift : RCE critique via un heap overflow vieux de 18 ans (CVE-2026-42945)\n\ud83d\udcdd ## \ud83d\udd0d Contexte\n\nPubli\u00e9 le 13 mai 2026 par Zhenpeng (Leo) Lin, chercheu\u2026\nhttps://cyberveille.ch/posts/2026-05-15-nginx-rift-rce-critique-via-un-heap-overflow-vieux-de-18-ans-cve-2026-42945/ #CVE_2026_40701 #Cyberveille", "creation_timestamp": "2026-05-17T20:43:55.548326Z"}, {"uuid": "ef9708d3-b627-45d1-9de5-4255b195216c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/technoholic.bsky.social/post/3mm3wrjwcpf2o", "content": "Cybersecurity researchers reveal a critical 18-year-old heap buffer overflow in NGINX Plus & Open (CVE-2026-42945, CVSS 9.2) in ngx_http_rewrite_module, risking RCE & more. #cybersecurity", "creation_timestamp": "2026-05-18T03:30:27.699501Z"}, {"uuid": "a72f3a5e-240e-4de6-9f00-1e776332c965", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84589", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-42945-NGINX-Rift\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a Renison-Gohel\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-17 19:27:14\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u65e0\u63cf\u8ff0\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-17T20:00:04.000000Z"}, {"uuid": "16c31352-c8d3-4371-94c2-d448f4d3cec4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/blackhatnews.tokyo/post/3mm4mnutfdy2m", "content": "\u30cf\u30c3\u30ab\u30fc\u304c\u672c\u756a\u74b0\u5883\u3067\u91cd\u5927\u306aNGINX RCE\u8106\u5f31\u6027\u3092\u60aa\u7528\n\nF5 NGINX\u306e\u91cd\u5927\u306a\u30d2\u30fc\u30d7\u30d0\u30c3\u30d5\u30a1\u30aa\u30fc\u30d0\u30fc\u30d5\u30ed\u30fc\u8106\u5f31\u6027\uff08CVE-2026-42945\uff09\u306f\u3001\u516c\u958b\u304b\u3089\u308f\u305a\u304b3\u65e5\u3067\u5b9f\u969b\u306e\u60aa\u7528\u306b\u767a\u5c55\u3057\u3001\u307b\u3068\u3093\u3069\u306e\u7d44\u7e54\u304c\u30d1\u30c3\u30c1\u3092\u9069\u7528\u3059\u308b\u6642\u9593\u3092\u78ba\u4fdd\u3059\u308b\u524d\u306b\u3001\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f\u3059\u3067\u306b\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u516c\u958b\u30b5\u30fc\u30d0\u30fc\u3092\u6a19\u7684\u306b\u3057\u3066\u3044\u307e\u3059\u3002 \u300cNGINX Rift\u300d\u3068\u547c\u3070\u308c\u308bCVE-2026-42945\u306f", "creation_timestamp": "2026-05-18T10:02:07.053129Z"}, {"uuid": "41d7874e-a111-4f4d-8f0f-b2ede75f03ba", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mm3dikj35o2y", "content": "NGINX CVE-2026-42945 is being exploited in the wild, with heap overflow attacks crashing workers and possibly enabling RCE. VulnCheck also saw chained openDCIM exploits linked to a Chinese IP. #NGINX #openDCIM #China", "creation_timestamp": "2026-05-17T21:45:26.298288Z"}, {"uuid": "60177c19-a20d-423a-a132-363dce9693b6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/postac001.bsky.social/post/3mm3dmxrpjv2w", "content": "NGINX Plus/Open\u306engx_http_rewrite_module\u306bheap\u30d0\u30c3\u30d5\u30a1\u30aa\u30fc\u30d0\u30fc\u30d5\u30ed\u30fc\u8106\u5f31\u6027(CVE-2026-42945)\u304c\u3042\u308a\u3001\u30ef\u30a4\u30eb\u30c9\u3067\u653b\u6483\u767a\u751f\u4e2d\u3002worker\u30af\u30e9\u30c3\u30b7\u2026", "creation_timestamp": "2026-05-17T21:47:53.728699Z"}, {"uuid": "b7972d34-26d9-4109-a91f-7685d981cfea", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hacker.at.thenote.app/post/3mm4oluxeg22g", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE\n\nA newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck.\nThe vulnerability, tra\u2026\n#hackernews #news", "creation_timestamp": "2026-05-18T10:36:48.118909Z"}, {"uuid": "175b90d1-a0d2-44af-8f22-2c7576f6ea06", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/news.humancoders.com/post/3mm4pvwwtr522", "content": "Nginx RIFT (CVE-2026-42945) : comprendre la faille vieille de 18 ans ", "creation_timestamp": "2026-05-18T11:00:20.166328Z"}, {"uuid": "bc9b72bf-4fbd-4ac9-8413-8851a530cbea", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/undercodenews.bsky.social/post/3mm4qgfxj252i", "content": "NGINX Rift: Critical F5 NGINX Vulnerability Exploited Within Days as Millions of Servers Face Attack\u00a0Risk\n\nIntroduction A newly disclosed vulnerability affecting F5 NGINX has rapidly escalated into a major cybersecurity emergency. Tracked as CVE-2026-42945 and now widely referred to as \u201cNGINX\u2026", "creation_timestamp": "2026-05-18T11:09:32.628007Z"}, {"uuid": "0d7c9217-6d44-4974-806c-c26e3b9315ab", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "confirmed", "source": "https://gist.github.com/MuktadirHassan/9e4dc13c0b88e804e365cf3d2bfeadb4", "content": "#!/usr/bin/env bash\n# CVE-2026-42945 (\"NGINX Rift\") checker\n#\n# Heuristic scan for:\n#   1. NGINX version in the advisory's affected range\n#   2. Vulnerable config pattern: a rewrite directive with an unnamed\n#      capture group ($1, $2, ...) and a \"?\" in the replacement,\n#      followed by another rewrite/if/set directive in the SAME block\n#\n# Affected (per F5 advisory K000161019):\n#   NGINX Open Source: 0.6.27 through 1.30.0 (fixed in 1.30.1, 1.31.0)\n#   NGINX Plus:        R32 through R36       (fixed in R32 P6, R36 P4)\n#\n# This is a heuristic. It can miss things and it can have false\n# positives. Treat output as \"worth a closer look,\" not a verdict.\n# The only authoritative fix is to upgrade.\n#\n# Usage: sudo bash nginx-rift-check.sh\n# Exit: 0 = nothing flagged, 1 = something flagged, 2 = couldn't run\n\nset -u\n\n# ---------- gather config ----------\ntmp=$(mktemp) || { echo \"mktemp failed\" >&2; exit 2; }\ntrap 'rm -f \"$tmp\"' EXIT\n\nver_raw=\"\"\nis_plus=0\nplus_rev=\"\"\n\nif command -v nginx >/dev/null 2>&1; then\n    ver_raw=$(nginx -v 2>&1)\n    if ! nginx -T 2>/dev/null > \"$tmp\"; then\n        find /etc/nginx /usr/local/nginx/conf /opt/nginx/conf 2>/dev/null \\\n            -type f \\( -name \"*.conf\" -o -path \"*/sites-enabled/*\" -o -path \"*/conf.d/*\" \\) \\\n            -print0 2>/dev/null | xargs -0 -r cat > \"$tmp\" 2>/dev/null\n    fi\nelse\n    find /etc/nginx /usr/local/nginx/conf /opt/nginx/conf 2>/dev/null \\\n        -type f \\( -name \"*.conf\" -o -path \"*/sites-enabled/*\" -o -path \"*/conf.d/*\" \\) \\\n        -print0 2>/dev/null | xargs -0 -r cat > \"$tmp\" 2>/dev/null\nfi\n\nif [ ! -s \"$tmp\" ]; then\n    echo \"ERROR: no nginx config found and 'nginx -T' produced nothing.\" >&2\n    echo \"If nginx is under a non-standard prefix, edit the find paths.\" >&2\n    exit 2\nfi\n\n# ---------- version check ----------\noss_ver=$(printf '%s' \"$ver_raw\" | sed -nE 's#.*nginx/([0-9]+\\.[0-9]+\\.[0-9]+).*#\\1#p')\nif printf '%s' \"$ver_raw\" | grep -qi 'nginx-plus'; then\n    is_plus=1\n    plus_rev=$(printf '%s' \"$ver_raw\" | sed -nE 's#.*nginx-plus-(r[0-9]+(-p[0-9]+)?).*#\\1#ip')\nfi\n\nver_verdict=\"UNKNOWN\"\nif [ \"$is_plus\" -eq 1 ]; then\n    rnum=$(printf '%s' \"$plus_rev\" | sed -nE 's#r([0-9]+).*#\\1#ip')\n    if [ -n \"$rnum\" ] && [ \"$rnum\" -ge 32 ] && [ \"$rnum\" -le 36 ]; then\n        ver_verdict=\"AFFECTED RANGE (NGINX Plus $plus_rev \u2014 check P-level against advisory)\"\n    else\n        ver_verdict=\"not in known affected Plus range\"\n    fi\nelif [ -n \"$oss_ver\" ]; then\n    n=$(printf '%s' \"$oss_ver\" | awk -F. '{print $1*1000000+$2*1000+$3}')\n    if [ \"$n\" -ge 6027 ] && [ \"$n\" -le 1030000 ]; then\n        ver_verdict=\"AFFECTED RANGE (OSS $oss_ver)\"\n    else\n        ver_verdict=\"not in known affected OSS range (OSS $oss_ver)\"\n    fi\nfi\n\necho \"nginx version: ${oss_ver:-unknown}${is_plus:+ (Plus $plus_rev)} => $ver_verdict\"\n\n# ---------- config pattern check ----------\n# Character-by-character tokenizer that emits one statement per { } ;\n# along with the current block_id. Each new \"{\" gets a fresh block_id,\n# so sibling blocks at the same depth are distinct.\nawk '\nBEGIN { RS = \"\\0\" }   # read whole file as one record\n{\n    src = $0\n    L = length(src)\n\n    next_block_id = 1\n    depth = 0\n    stack[0] = 0      # implicit top-level block has id 0\n    buf = \"\"\n    risk = 0\n    flagged = 0\n    in_sq = 0; in_dq = 0\n    in_comment = 0\n\n    for (i = 1; i <= L; i++) {\n        c = substr(src, i, 1)\n\n        # Handle comments (outside quotes only)\n        if (in_comment) {\n            if (c == \"\\n\") in_comment = 0\n            continue\n        }\n\n        # Handle backslash escape (keep both chars in buf, so regex matches work)\n        if (c == \"\\\\\" && i < L) {\n            buf = buf c substr(src, i+1, 1)\n            i++\n            continue\n        }\n\n        # Toggle quote state\n        if (c == \"\\\"\" && !in_sq) { in_dq = !in_dq; buf = buf c; continue }\n        if (c == \"'\\''\" && !in_dq) { in_sq = !in_sq; buf = buf c; continue }\n\n        # Inside a quoted string: copy verbatim, no structural chars\n        if (in_sq || in_dq) { buf = buf c; continue }\n\n        # Start of a comment\n        if (c == \"#\") { in_comment = 1; continue }\n\n        # Structural characters\n        if (c == \"{\") {\n            check_stmt(buf, stack[depth])\n            buf = \"\"\n            depth++\n            stack[depth] = next_block_id++\n            continue\n        }\n        if (c == \"}\") {\n            check_stmt(buf, stack[depth])\n            buf = \"\"\n            delete seen[stack[depth]]\n            if (depth > 0) depth--\n            continue\n        }\n        if (c == \";\") {\n            check_stmt(buf, stack[depth])\n            buf = \"\"\n            continue\n        }\n\n        buf = buf c\n    }\n    check_stmt(buf, stack[depth])\n\n    if (flagged) {\n        print \"config pattern: POSSIBLY VULNERABLE\"\n        exit 0\n    } else if (risk) {\n        print \"config pattern: rewrite with $N + ? found, but no follow-up in same scope\"\n        exit 1\n    } else {\n        print \"config pattern: not found by heuristic\"\n        exit 1\n    }\n}\n\nfunction check_stmt(stmt, blk) {\n    gsub(/[ \\t\\r\\n]+/, \" \", stmt)\n    sub(/^ /, \"\", stmt)\n    sub(/ $/, \"\", stmt)\n    if (stmt == \"\") return\n\n    # Vulnerable rewrite?\n    # - directive is \"rewrite\"\n    # - contains at least one unnamed capture: \"(\" not followed by \"?\", not escaped\n    # - replacement contains \"?\"\n    # - uses a numbered backreference $1..$9\n    if (stmt ~ /^rewrite[ \\t]/ && \\\n        stmt ~ /\\?/ && \\\n        stmt ~ /(^|[^\\\\])\\([^?]/ && \\\n        stmt ~ /\\$[0-9]/) {\n        seen[blk] = 1\n        printf \"  [!] vulnerable rewrite (block_id=%d):\\n      %s\\n\", blk, stmt\n        risk = 1\n        return\n    }\n\n    # Follow-up directive in the same block as a prior vulnerable rewrite\n    if ((blk in seen) && stmt ~ /^(rewrite|if|set)[ \\t]/) {\n        printf \"  [!] follow-up directive in same scope (block_id=%d):\\n      %s\\n\", blk, stmt\n        flagged = 1\n    }\n}\n' \"$tmp\"\npattern_status=$?\n\n# ---------- verdict ----------\necho \"\"\nif [ \"$pattern_status\" -eq 0 ] && [[ \"$ver_verdict\" == AFFECTED* ]]; then\n    echo \"RESULT: HIGH RISK \u2014 vulnerable version AND matching config pattern.\"\n    echo \"        Upgrade nginx (OSS >= 1.30.1 / 1.31.0, Plus R32 P6 / R36 P4)\"\n    echo \"        OR replace unnamed captures (\\$1, \\$2) with named captures\"\n    echo \"        (?...) in the flagged rewrite directives.\"\n    exit 1\nelif [ \"$pattern_status\" -eq 0 ]; then\n    echo \"RESULT: config pattern matches but version not flagged.\"\n    echo \"        Double-check the F5 advisory if you're on Plus or a derivative:\"\n    echo \"        https://my.f5.com/manage/s/article/K000161019\"\n    exit 1\nelif [[ \"$ver_verdict\" == AFFECTED* ]]; then\n    echo \"RESULT: vulnerable version but no matching config pattern found.\"\n    echo \"        Still recommended: upgrade. The heuristic can miss things.\"\n    exit 1\nelse\n    echo \"RESULT: not flagged by this heuristic. Upgrading is still recommended.\"\n    exit 0\nfi", "creation_timestamp": "2026-05-16T00:21:10.000000Z"}, {"uuid": "5d20a368-0bbc-456c-9372-46f919819f77", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "af0120d0-3dac-4a6a-974b-a9f33d2a9846", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "https://github.com/DepthFirstDisclosures/Nginx-Rift", "content": "", "creation_timestamp": "2026-05-18T06:29:40.947938Z"}, {"uuid": "5dfd7cb8-11d5-459b-b4d8-b44a5ff06397", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/undercodenews.bsky.social/post/3mm4edhuecb2y", "content": "NGINX Rift Sparks Alarm as Hackers Begin Exploiting Critical CVE-2026-42945 Flaw Across Internet\u00a0Infrastructure\n\nIntroduction A newly disclosed security flaw in NGINX has quickly escalated into a major cybersecurity concern after researchers confirmed active exploitation attempts in the wild. The\u2026", "creation_timestamp": "2026-05-18T07:33:08.847995Z"}, {"uuid": "58ca7b61-9a69-47dd-8d53-c81ad0e6226d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/infosecbriefly.bsky.social/post/3mm4eqweqew23", "content": "CVE-2026-42945 enables remote heap buffer overflow exploitation in NGINX rewrite, with DoS on default setups and possible RCE when ASLR is disabled.\n", "creation_timestamp": "2026-05-18T07:40:41.017205Z"}, {"uuid": "459ed830-7aae-4279-80a2-8c3fd885a4b4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mm4f6nwcpj2x", "content": "Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945", "creation_timestamp": "2026-05-18T07:48:20.631603Z"}, {"uuid": "c0a2e49f-f889-447c-aaf3-7b712070d2cb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/tomcat/statuses/116594498539615598", "content": "\ud83d\udea8 NGINX bug (CVE-2026-42945) now under active exploitation.\nCritical heap overflow in rewrite module. Attackers can crash workers with one request (possible RCE).\nPatch now if using NGINX \u22641.30.0. Check rewrite/if/set rules.\nFull details: https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html", "creation_timestamp": "2026-05-18T07:54:19.648891Z"}, {"uuid": "359a8704-8e90-4e79-926c-d5dff39bede9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/MDaDUlbZUcFJ-4rbDgSWYnTaUqaTn6tUsx9TVv7vZ36zWtP2", "content": "", "creation_timestamp": "2026-05-18T07:15:05.000000Z"}, {"uuid": "876a733f-8ed2-4922-838a-8302c00facdb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/synapsesec.bsky.social/post/3mm4fuzq2gw2s", "content": "New AI model seeps personal data from users. Researchers uncover serious flaws in data privacy across major platforms. Time to rethink your security measures. Read more: [https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html]", "creation_timestamp": "2026-05-18T08:00:50.708480Z"}, {"uuid": "d0682f16-e123-4fdf-8b88-4a16b4a75a26", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/shiojiri.com/post/3mm4h5hz5e2zy", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html", "creation_timestamp": "2026-05-18T08:23:45.459923Z"}, {"uuid": "0e289e86-7ea4-45b2-8146-e887ec04a5dd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/shiojiri.com/post/3mm4h7nfzpkzy", "content": "Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945 https://securityaffairs.com/192289/uncategorized/experts-warn-of-active-exploitation-of-critical-nginx-flaw-cve-2026-42945.html", "creation_timestamp": "2026-05-18T08:24:42.999559Z"}, {"uuid": "42c15d55-12b0-4aea-bd5f-5c48484a8abe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/pvynckier.bsky.social/post/3mm4iwqaii22m", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE thehackernews.com/2026/05/ngin...", "creation_timestamp": "2026-05-18T08:55:32.475671Z"}, {"uuid": "4c6e496f-51a2-479f-acc9-5082072e15da", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/ctinow/250416", "content": "Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945\nhttps://ift.tt/SJ2p07L", "creation_timestamp": "2026-05-18T07:19:24.000000Z"}, {"uuid": "04e14604-6c6e-4e36-bd5b-a6d34cc8442e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116594758597394885", "content": "\ud83d\udea8 CRITICAL: Active exploitation of NGINX heap buffer overflow (CVE-2026-42945) in ngx_http_rewrite_module. Remote DoS on default, RCE possible if ASLR is off. Patch now! Official fix by F5. https://radar.offseq.com/threat/exploitation-of-critical-nginx-vulnerability-begin-ecd29fd7 #OffSeq #NGINX #Vuln #Patch", "creation_timestamp": "2026-05-18T09:00:30.419206Z"}, {"uuid": "ac6dadb7-14a1-4e28-8410-9a68567c4985", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/qGdGbSqnczExwiH0BQQtEulAWpwClE1FML1f85Om1AneajcQ", "content": "", "creation_timestamp": "2026-05-18T08:37:47.000000Z"}, {"uuid": "a4d401c5-9aa8-47c9-b3b5-3b8ea4f36ad6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/samilaiho.com/post/3mm544bayic2q", "content": "NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and\nPossible RCE\nthehackernews.com/2026/05/ngin...", "creation_timestamp": "2026-05-18T14:38:42.845363Z"}, {"uuid": "6bbb8e26-b68b-4cab-af77-a3b35f8fde44", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://mastodon.social/ap/users/115426718704364579/statuses/116596284383043011", "content": "\ud83d\udcf0 Critical 18-Year-Old 'NGINX Rift' Vulnerability (CVE-2026-42945) Under Active Attack\n\ud83d\udea8 CRITICAL NGINX FLAW! An 18-year-old bug 'NGINX Rift' (CVE-2026-42945) is actively exploited for DoS & RCE. Affects millions of web servers. Patch immediately! #NGINX #CVE #Infosec #PatchNow\n\ud83c\udf10 cyber[.]netsecops[.]io\n\ud83d\udd17 https://cyber.netsecops.io/articles/nginx-rift-critical-vulnerability-cve-2026-42945-active-exploitation/?utm_source=mastodon&utm_medium=social&utm_campaign=daily", "creation_timestamp": "2026-05-18T15:28:30.548490Z"}, {"uuid": "3f9cc5f0-4061-4fa0-8d56-a5a14eb1d672", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/true_secator/8212", "content": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0430\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c NGINX \u043e\u0431\u0437\u0430\u0432\u0435\u043b\u0430\u0441\u044c \u043e\u0431\u0449\u0435\u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u043c PoC \u0438 \u0442\u0435\u043f\u0435\u0440\u044c \u0430\u043a\u0442\u0438\u0432\u043d\u043e \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u043a\u0438\u0431\u0435\u0440\u043f\u043e\u0434\u043f\u043e\u043b\u044c\u0435\u043c, \u043e \u0447\u0435\u043c \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0430\u0435\u0442 VulnCheck, \u0437\u0430\u043c\u0435\u0442\u0438\u0432\u0448\u0430\u044f \u043f\u0435\u0440\u0432\u044b\u0435 \u0440\u0435\u0430\u043b\u044c\u043d\u044b\u0435 \u0430\u0442\u0430\u043a\u0438 \u0432 \u0432\u044b\u0445\u043e\u0434\u043d\u044b\u0435 \u0434\u043d\u0438.\n\nCVE-2026-42945 (CVSS 9.2) \u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0432\u0448\u0430\u044f \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 Nginx Rift, \u043e\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u043a\u0430\u043a \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0431\u0443\u0444\u0435\u0440\u0430 \u0432 \u043a\u0443\u0447\u0435 \u0432 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0435 ngx_http_rewrite_module \u0438 \u0441\u043a\u0440\u044b\u0432\u0430\u043b\u0430\u0441\u044c \u0432 \u043a\u043e\u0434\u0435 NGINX \u0432 \u0442\u0435\u0447\u0435\u043d\u0438\u0435 16 \u043b\u0435\u0442.\n\n\u041e\u043d\u0430 \u043f\u0440\u0438\u0432\u043e\u0434\u0438\u0442 \u043a DoS \u043f\u0440\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0438 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0439 \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e \u0438 \u043a RCE, \u0435\u0441\u043b\u0438 ASLR \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d. F5\u00a0\u0443\u0441\u0442\u0440\u0430\u043d\u0438\u043b\u0430 \u0435\u0435 \u0432 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 NGINX Plus 37.0.0, R36 P4 \u0438 R32 P6, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0432 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 NGINX \u0441 \u043e\u0442\u043a\u0440\u044b\u0442\u044b\u043c \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u043c \u043a\u043e\u0434\u043e\u043c 1.31.0 \u0438 1.30.1.\n\n\u0412\u0441\u043a\u043e\u0440\u0435 \u043f\u043e\u0441\u043b\u0435 \u0442\u043e\u0433\u043e, \u043a\u0430\u043a\u00a0F5 \u0432\u044b\u043f\u0443\u0441\u0442\u0438\u043b\u0430 \u043f\u0430\u0442\u0447\u0438 Depthfirst \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043b\u0430 \u0442\u0435\u0445\u043d\u0438\u0447\u0435\u0441\u043a\u0438\u0435 \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0441\u0442\u0438 \u0438 \u0434\u0435\u043c\u043e\u043d\u0441\u0442\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0439 PoC, \u043d\u0430\u0446\u0435\u043b\u0435\u043d\u043d\u044b\u0439 \u043d\u0430 \u044d\u0442\u0443 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c. \u0422\u0435\u043f\u0435\u0440\u044c, \u043f\u043e \u0434\u0430\u043d\u043d\u044b\u043c VulnCheck, \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0438 \u0443\u0436\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442 \u044d\u0442\u0443 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432 \u0441\u0432\u043e\u0438\u0445 \u0430\u0442\u0430\u043a\u0430\u0445.\n\n\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u0437\u0430\u0434\u0435\u0442\u0435\u043a\u0442\u0438\u043b\u0438 \u0430\u043a\u0442\u0438\u0432\u043d\u0443\u044e \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044e CVE-2026-42945 \u0432 F5 NGINX \u043d\u0430 \u0442\u0435\u0441\u0442\u043e\u0432\u044b\u0445 \u043e\u0431\u0440\u0430\u0437\u0446\u0430\u0445 VulnCheck \u0432\u0441\u0435\u0433\u043e \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0434\u043d\u0435\u0439 \u043f\u043e\u0441\u043b\u0435 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e\u0431 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438.\n\n\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043e\u0431\u0443\u0441\u043b\u043e\u0432\u043b\u0435\u043d\u0430 \u0442\u0435\u043c, \u0447\u0442\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u043e\u0432\u044b\u0439 \u0434\u0432\u0438\u0436\u043e\u043a \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u0434\u0432\u0443\u0445\u044d\u0442\u0430\u043f\u043d\u044b\u0439 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 \u0434\u043b\u044f \u0432\u044b\u0447\u0438\u0441\u043b\u0435\u043d\u0438\u044f \u0440\u0430\u0437\u043c\u0435\u0440\u0430 \u0431\u0443\u0444\u0435\u0440\u0430 \u0438 \u043a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0432 \u043d\u0435\u0433\u043e \u0434\u0430\u043d\u043d\u044b\u0445, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0438\u0437-\u0437\u0430 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0435\u0433\u043e \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u044f \u0434\u0432\u0438\u0436\u043a\u0430 \u043c\u0435\u0436\u0434\u0443 \u044d\u0442\u0438\u043c\u0438 \u044d\u0442\u0430\u043f\u0430\u043c\u0438. \u0412 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u044b\u0445 \u0443\u0441\u043b\u043e\u0432\u0438\u044f\u0445 \u043d\u0435\u0440\u0430\u0441\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u043d\u044b\u0439 \u0444\u043b\u0430\u0433 \u043f\u0440\u0438\u0432\u043e\u0434\u0438\u0442 \u043a \u0437\u0430\u043f\u0438\u0441\u0438 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0445 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u043e\u043c \u0434\u0430\u043d\u043d\u044b\u0445 \u0437\u0430 \u043f\u0440\u0435\u0434\u0435\u043b\u044b \u043a\u0443\u0447\u0438.\n\n\u0412 \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u0445 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f\u0445 \u0443\u0441\u043f\u0435\u0448\u043d\u0430\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f CVE \u043f\u0440\u0438\u0432\u0435\u0434\u0435\u0442 \u043a \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u043a\u0443 \u0441\u0435\u0440\u0432\u0435\u0440\u0430, \u0432\u044b\u0437\u044b\u0432\u0430\u044f DoS. \u0415\u0441\u043b\u0438 \u0440\u0430\u043d\u0434\u043e\u043c\u0438\u0437\u0430\u0446\u0438\u044f \u0440\u0430\u0441\u043f\u043e\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u0430\u0434\u0440\u0435\u0441\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0441\u0442\u0432\u0430 (ASLR) \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u0430, \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a RCE.\n\n\u041a\u0430\u043a \u043e\u0442\u043c\u0435\u0447\u0430\u0435\u0442 VulnCheck, \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0431\u0435\u0437 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438, \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 HTTP-\u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432, \u043d\u043e \u0434\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0451\u043d\u043d\u0430\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f\u00a0\u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0438\u0441\u0438.\n\n\u0425\u043e\u0442\u044f \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u0441\u0431\u043e\u0439 \u0432 \u0440\u0430\u0431\u043e\u0447\u0435\u043c \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0435 NGINX \u0434\u043e\u0432\u043e\u043b\u044c\u043d\u043e \u043f\u0440\u043e\u0441\u0442\u043e \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043e\u0434\u043d\u043e\u0433\u043e \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u0437\u0430\u043f\u0440\u043e\u0441\u0430, \u0434\u043e\u0431\u0438\u0442\u044c\u0441\u044f \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043a\u043e\u0434\u0430 \u0441\u043b\u043e\u0436\u043d\u0435\u0435, \u043f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 \u0432 \u0431\u043e\u043b\u044c\u0448\u0438\u043d\u0441\u0442\u0432\u0435 \u0440\u0430\u0437\u0432\u0435\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u0439 ASLR \u0432\u043a\u043b\u044e\u0447\u0435\u043d \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e.\n\n\u041f\u0440\u0438 \u044d\u0442\u043e\u043c Censys \u043f\u043e\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442 \u043f\u0440\u0438\u043c\u0435\u0440\u043d\u043e 5,7 \u043c\u043b\u043d \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432 NGINX, \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u044b\u0445 \u043a \u0438\u043d\u0442\u0435\u0440\u043d\u0435\u0442\u0443 \u0438 \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0449\u0438\u0445 \u043f\u043e\u0434 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u043e\u0434\u043d\u0430\u043a\u043e \u0440\u0435\u0430\u043b\u044c\u043d\u043e \u0443\u044f\u0437\u0432\u0438\u043c\u0430\u044f \u0433\u0440\u0443\u043f\u043f\u0430, \u0432\u0435\u0440\u043e\u044f\u0442\u043d\u043e, \u0432\u0441\u0435 \u0436\u0435 \u0437\u043d\u0430\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u043c\u0435\u043d\u044c\u0448\u0435, \u043a\u0430\u043a \u043f\u043e\u043b\u0430\u0433\u0430\u044e\u0442 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438.\n\n\u0422\u0435\u043c \u043d\u0435 \u043c\u0435\u043d\u0435\u0435, \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u043f\u043e\u043b\u0430\u0433\u0430\u044e\u0442, \u0447\u0442\u043e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0442\u0440\u0435\u0431\u0443\u0435\u0442 \u0441\u0440\u043e\u0447\u043d\u043e\u0433\u043e \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u044f \u0438 \u0441\u043b\u0435\u0434\u0443\u0435\u0442 \u0433\u043e\u0442\u043e\u0432\u0438\u0442\u044c\u0441\u044f \u043a \u0431\u043e\u043b\u0435\u0435 \u043c\u0430\u0441\u0448\u0442\u0430\u0431\u043d\u044b\u043c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f\u043c, \u043e\u0441\u043e\u0431\u0435\u043d\u043d\u043e \u0443\u0447\u0438\u0442\u044b\u0432\u0430\u044f, \u0447\u0442\u043e \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u044b\u0439 PoC \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d \u0434\u043b\u044f \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f ASLR \u0438 \u0434\u043e\u0441\u0442\u0438\u0436\u0435\u043d\u0438\u044f RCE.", "creation_timestamp": "2026-05-18T11:00:08.000000Z"}, {"uuid": "95f5ce40-2df2-4f21-9351-ff0f2b82d29c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/patrickcmiller.bsky.social/post/3mm52mrofrj2u", "content": "Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945 securityaffairs.com/192289/uncat...", "creation_timestamp": "2026-05-18T14:12:28.883834Z"}, {"uuid": "5be53e08-2b56-4fab-bc9a-0c44ee14cffe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/patrickcmiller/statuses/116595983713606947", "content": "Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945 https://securityaffairs.com/192289/uncategorized/experts-warn-of-active-exploitation-of-critical-nginx-flaw-cve-2026-42945.html", "creation_timestamp": "2026-05-18T14:12:53.893236Z"}, {"uuid": "e2091eac-c8b0-43c4-bd7a-a7a6821142b6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/securityrss.bsky.social/post/3mm52rzxfnh27", "content": "A critical vulnerability, CVE-2026-42945 (CVSS 9.2), in NGINX Plus and Open, allows unauthenticated attackers to crash worker processes or potentially execute remote code if ASLR is disabled. Exploitation attempts have been detected. Users are urged to apply F5's latest fixes.", "creation_timestamp": "2026-05-18T14:16:27.074164Z"}, {"uuid": "8a9e0e2c-6e1c-462b-8f0c-6770f52fd9b4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84751", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-42945\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a imSre9\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a None\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-19 01:54:52\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u65e0\u63cf\u8ff0\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-19T02:00:04.000000Z"}, {"uuid": "cc7dbcc3-0cf5-4d89-872d-1855ba3cbc96", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://gist.github.com/stone776/ee5e28a52f7d95e7f2d58cb525abdce0", "content": "\n\n\n    \n    \n    TARDIS Intelligence Briefing -- 2026-05-19\n    \n    \n        *, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }\n\n        :root {\n            --tardis-deep: #020b18;\n            --tardis-dark: #061627;\n            --tardis-mid: #0c2240;\n            --tardis-surface: #0f2a4a;\n            --tardis-panel: #132f52;\n            --tardis-edge: #1a3d66;\n            --tardis-blue: #1e6fba;\n            --tardis-blue-bright: #3498db;\n            --tardis-blue-glow: rgba(52, 152, 219, 0.15);\n            --tardis-gold: #f4c430;\n            --tardis-gold-dim: rgba(244, 196, 48, 0.12);\n            --tardis-amber: #e89e2d;\n            --tardis-green: #50c878;\n            --tardis-green-soft: rgba(80, 200, 120, 0.12);\n            --tardis-red: #e74c3c;\n            --tardis-text: #c8dce8;\n            --tardis-text-dim: #7a9ab8;\n            --tardis-text-muted: #4a6a85;\n        }\n\n        body {\n            background: var(--tardis-deep);\n            color: var(--tardis-text);\n            font-family: 'Rajdhani', sans-serif;\n            font-weight: 400;\n            min-height: 100vh;\n            line-height: 1.55;\n        }\n\n        ::-webkit-scrollbar { width: 5px; }\n        ::-webkit-scrollbar-track { background: var(--tardis-deep); }\n        ::-webkit-scrollbar-thumb { background: var(--tardis-edge); border-radius: 3px; }\n\n        .console-header {\n            background: var(--tardis-dark);\n            border-bottom: 2px solid var(--tardis-blue);\n            padding: 16px 36px;\n            display: flex;\n            align-items: center;\n            justify-content: space-between;\n            position: relative;\n            overflow: hidden;\n        }\n\n        .console-header::before {\n            content: '';\n            position: absolute;\n            top: 0; left: 0; right: 0;\n            height: 2px;\n            background: linear-gradient(90deg, transparent 0%, var(--tardis-blue-bright) 30%, var(--tardis-gold) 50%, var(--tardis-blue-bright) 70%, transparent 100%);\n        }\n\n        .console-brand { display: flex; align-items: center; gap: 14px; }\n\n        .tardis-icon {\n            width: 38px; height: 38px;\n            border: 2px solid var(--tardis-blue);\n            border-radius: 4px;\n            display: flex; align-items: center; justify-content: center;\n            background: var(--tardis-mid);\n            flex-shrink: 0;\n        }\n\n        .tardis-icon::before {\n            content: '';\n            width: 10px; height: 10px;\n            background: var(--tardis-gold);\n            border-radius: 50%;\n        }\n\n        .console-title-block { display: flex; flex-direction: column; gap: 2px; }\n\n        .console-title {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 1.05em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.14em;\n            color: var(--tardis-gold);\n        }\n\n        .console-subtitle {\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 0.7em; color: var(--tardis-text-dim);\n            text-transform: uppercase; letter-spacing: 0.18em;\n        }\n\n        .console-readout { display: flex; align-items: center; gap: 24px; }\n\n        .readout-date {\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 1.1em; color: var(--tardis-gold); letter-spacing: 0.06em;\n        }\n\n        .readout-classification {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.62em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.12em;\n            color: var(--tardis-text-dim);\n            background: var(--tardis-mid);\n            border: 1px solid var(--tardis-edge);\n            padding: 5px 14px; border-radius: 3px;\n        }\n\n        .weather-readout {\n            font-family: 'Share Tech Mono', monospace;\n            color: var(--tardis-text-dim); font-size: 0.85rem; letter-spacing: 0.5px;\n        }\n\n        .page-layout {\n            display: grid;\n            grid-template-columns: 200px 1fr;\n            min-height: calc(100vh - 74px);\n        }\n\n        .nav-sidebar {\n            background: var(--tardis-dark);\n            border-right: 1px solid var(--tardis-edge);\n            padding: 28px 0;\n            position: sticky; top: 0;\n            height: calc(100vh - 74px);\n            overflow-y: auto;\n        }\n\n        .nav-sidebar::-webkit-scrollbar { width: 3px; }\n        .nav-sidebar::-webkit-scrollbar-thumb { background: var(--tardis-edge); }\n\n        .nav-label {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.58em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.2em;\n            color: var(--tardis-text-muted);\n            padding: 0 20px 12px;\n        }\n\n        .nav-item {\n            display: flex; align-items: center; gap: 10px;\n            padding: 9px 20px;\n            cursor: pointer;\n            border-left: 3px solid transparent;\n            text-decoration: none;\n            color: var(--tardis-text-dim);\n            font-family: 'Rajdhani', sans-serif;\n            font-size: 0.85em; font-weight: 500; line-height: 1.2;\n        }\n\n        .nav-item:hover {\n            color: var(--tardis-text);\n            background: var(--tardis-mid);\n            border-left-color: var(--tardis-blue-bright);\n        }\n\n        .nav-num {\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 0.78em; color: var(--tardis-text-muted);\n            width: 18px; text-align: right; flex-shrink: 0;\n        }\n\n        .nav-divider { height: 1px; background: var(--tardis-edge); margin: 12px 20px; }\n\n        .main-content { padding: 32px 40px 60px; max-width: 900px; }\n\n        .section-chrome {\n            border: 1px solid var(--tardis-edge);\n            border-radius: 6px; overflow: hidden;\n            background: var(--tardis-dark);\n            margin-bottom: 28px;\n        }\n\n        .section-chrome-header {\n            background: var(--tardis-mid);\n            padding: 11px 18px;\n            display: flex; align-items: center; justify-content: space-between;\n            border-bottom: 1px solid var(--tardis-edge);\n        }\n\n        .section-chrome-label {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.68em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.16em;\n            color: var(--tardis-text);\n            display: flex; align-items: center; gap: 9px;\n        }\n\n        .label-indicator {\n            width: 7px; height: 7px;\n            border-radius: 50%; background: var(--tardis-green); flex-shrink: 0;\n        }\n        .label-indicator.gold { background: var(--tardis-gold); }\n        .label-indicator.blue { background: var(--tardis-blue-bright); }\n        .label-indicator.red { background: var(--tardis-red); }\n        .label-indicator.amber { background: var(--tardis-amber); }\n\n        .section-chrome-badge {\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 0.72em; color: var(--tardis-text-dim);\n            background: var(--tardis-dark);\n            padding: 2px 9px; border-radius: 3px;\n            border: 1px solid var(--tardis-edge);\n        }\n\n        .section-chrome-body { padding: 22px 24px; }\n\n        .bluf-block {\n            border-left: 3px solid var(--tardis-gold);\n            background: var(--tardis-gold-dim);\n            padding: 12px 16px; margin-bottom: 18px;\n            border-radius: 0 4px 4px 0;\n        }\n\n        .bluf-label {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.58em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.2em;\n            color: var(--tardis-gold); margin-bottom: 5px;\n        }\n\n        .bluf-text {\n            font-family: 'Rajdhani', sans-serif;\n            font-size: 1.05em; font-weight: 600;\n            color: var(--tardis-text); line-height: 1.4;\n        }\n\n        .fact-list { list-style: none; margin-bottom: 16px; }\n\n        .fact-list li {\n            font-size: 0.97em; font-weight: 500;\n            color: var(--tardis-text);\n            padding: 5px 0 5px 18px;\n            position: relative; line-height: 1.45;\n            border-bottom: 1px solid rgba(26, 61, 102, 0.35);\n        }\n\n        .fact-list li:last-child { border-bottom: none; }\n\n        .fact-list li::before {\n            content: '';\n            position: absolute; left: 0; top: 13px;\n            width: 6px; height: 6px;\n            border: 1px solid var(--tardis-blue-bright);\n            border-radius: 1px; transform: rotate(45deg);\n        }\n\n        .fact-list .source-tag {\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 0.78em; color: var(--tardis-text-muted); font-weight: 400;\n        }\n\n        .context-block {\n            background: var(--tardis-surface);\n            border: 1px solid var(--tardis-edge);\n            border-radius: 4px; padding: 12px 16px; margin-bottom: 14px;\n        }\n\n        .context-label {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.58em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.18em;\n            color: var(--tardis-text-muted); margin-bottom: 6px;\n        }\n\n        .context-text {\n            font-family: 'Rajdhani', sans-serif;\n            font-size: 0.93em; color: var(--tardis-text-dim); line-height: 1.5;\n        }\n\n        .open-questions { margin-top: 12px; }\n\n        .open-questions-label {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.58em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.18em;\n            color: var(--tardis-text-muted); margin-bottom: 7px;\n        }\n\n        .open-questions ul { list-style: none; }\n\n        .open-questions li {\n            font-family: 'Rajdhani', sans-serif;\n            font-size: 0.9em; color: var(--tardis-text-dim);\n            font-style: italic; padding: 3px 0 3px 14px; position: relative;\n        }\n\n        .open-questions li::before {\n            content: '?';\n            position: absolute; left: 0;\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 0.85em; color: var(--tardis-amber); font-style: normal;\n        }\n\n        .data-table-wrap { overflow-x: auto; margin-bottom: 16px; }\n\n        table { width: 100%; border-collapse: collapse; font-size: 0.9em; }\n\n        thead { background: var(--tardis-surface); }\n\n        th {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.62em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.12em;\n            color: var(--tardis-text-dim);\n            padding: 9px 14px; text-align: left;\n            border-bottom: 1px solid var(--tardis-edge);\n            white-space: nowrap;\n        }\n\n        td {\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 0.88em; color: var(--tardis-text);\n            padding: 8px 14px;\n            border-bottom: 1px solid rgba(26, 61, 102, 0.4);\n            line-height: 1.35;\n        }\n\n        td.label-cell {\n            font-family: 'Rajdhani', sans-serif;\n            font-size: 0.93em; font-weight: 600; color: var(--tardis-text-dim);\n        }\n\n        td.positive { color: var(--tardis-green); }\n        td.negative { color: var(--tardis-red); }\n        td.neutral { color: var(--tardis-text-muted); }\n\n        tr:hover td { background: rgba(12, 34, 64, 0.5); }\n\n        .kev-block {\n            background: rgba(231, 76, 60, 0.07);\n            border: 1px solid rgba(231, 76, 60, 0.25);\n            border-radius: 4px; padding: 12px 16px; margin-bottom: 14px;\n        }\n\n        .kev-label {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.6em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.18em;\n            color: var(--tardis-red); margin-bottom: 8px;\n        }\n\n        .kev-entry {\n            font-family: 'Rajdhani', sans-serif;\n            font-size: 0.93em; color: var(--tardis-text);\n            padding: 4px 0;\n            border-bottom: 1px solid rgba(231, 76, 60, 0.15);\n            line-height: 1.4;\n        }\n\n        .kev-entry:last-child { border-bottom: none; }\n        .kev-cve { font-family: 'Share Tech Mono', monospace; font-size: 0.88em; color: var(--tardis-red); }\n\n        .kev-none {\n            font-family: 'Rajdhani', sans-serif;\n            font-size: 0.93em; color: var(--tardis-text-muted); font-style: italic;\n        }\n\n        .analysis-chrome {\n            border: 1px solid var(--tardis-gold);\n            border-radius: 6px; overflow: hidden;\n            background: var(--tardis-dark); margin-bottom: 28px;\n        }\n\n        .analysis-chrome .section-chrome-header {\n            background: var(--tardis-gold-dim);\n            border-bottom-color: rgba(244, 196, 48, 0.25);\n        }\n\n        .analysis-subsection { margin-bottom: 18px; }\n        .analysis-subsection:last-child { margin-bottom: 0; }\n\n        .analysis-sublabel {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.62em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.16em;\n            color: var(--tardis-gold); margin-bottom: 8px;\n            padding-bottom: 4px;\n            border-bottom: 1px solid rgba(244, 196, 48, 0.2);\n        }\n\n        .metadata-footer {\n            background: var(--tardis-dark);\n            border-top: 1px solid var(--tardis-edge);\n            padding: 18px 40px; margin-top: 8px;\n        }\n\n        .metadata-grid { display: flex; flex-wrap: wrap; gap: 20px 36px; }\n\n        .metadata-item { display: flex; flex-direction: column; gap: 2px; }\n\n        .metadata-key {\n            font-family: 'Orbitron', sans-serif;\n            font-size: 0.55em; font-weight: 700;\n            text-transform: uppercase; letter-spacing: 0.18em;\n            color: var(--tardis-text-muted);\n        }\n\n        .metadata-value {\n            font-family: 'Share Tech Mono', monospace;\n            font-size: 0.82em; color: var(--tardis-text-dim);\n        }\n    \n\n\n\n\n\n    \n\n        \n\n        \n\n            \nIntelligence Briefing\n            \nOSINT-First / IC Editorial Standards / CLAUDE Synthesis\n        \n    \n    \n\n        \n2026-05-19 \u00b7 Tuesday\n        \nOSINT Only\n        \nPartly Cloudy \u00b7 High 70.6\u00b0F / Low 51.9\u00b0F \u00b7 San Diego\n    \n\n\n\n\n    \n\n        \nSections\n        01AI Research\n        02Merlin Intelligence\n        03Military / Geo\n        04US News\n        05Economic\n        06Technology\n        07Cybersecurity\n        \n\n        13Analysis\n    \n\n    \n\n\n\n  \n\n    \n\n      \n      AI Research\n    \n    \nS1 \u00b7 ARXIV + LAB FEEDS\n  \n  \n\n\n    \n\n      \nBLUF\n      \nThree fresh papers address the agentic architecture layer directly: code-structured agent harnesses, skill generation quality benchmarking, and opportunistic parallelism in compound AI. A position paper challenges the single-judge safety assumption. All four have near-term implementation relevance.\n    \n\n    \n    \nCode as Agent Harness \u2014 Structured Dispatch Outperforms Prose Delegation\n    \n\n      \nLLMs orchestrating multi-step tasks achieve higher success rates when delegation is framed as code execution rather than natural-language instruction. The harness enforces sequencing, error capture, and retry logic. [ArXiv 2605.18747 \u00b7 2026-05-18]\n      \nKey finding: structured code harnesses reduce tool-skip hallucinations and out-of-order completions in multi-agent pipelines \u2014 the dominant failure mode in current orchestration systems.\n      \nImplementation path: wrap child agent dispatch in generated Python with typed inputs, structured error returns, and explicit blackboard write-backs rather than conversational handoffs.\n    \n    \n\n      \nOpen Questions\n      \n\n        \nDoes the harness pattern require the orchestrator model to be reliable at code generation, or does it work with structured templates the model fills in?\n      \n    \n\n    \n    \nSkillGenBench \u2014 Skill Generation Pipelines Require Held-Out Validation to Avoid Brittleness\n    \n\n      \nBenchmarks skill generation pipelines across generalizability, executability, and improvement rate. Pipelines that include a validation step \u2014 running generated skills against at least one held-out test before commit \u2014 show 2\u20133x fewer brittle skills in production. [ArXiv 2605.18693 \u00b7 2026-05-18]\n      \nCurrent Merlin Evolver loop lacks a structured pre-commit validation gate. This paper quantifies the cost of that gap.\n      \nPaper includes open-source benchmark harness applicable to any SKILL.md-style system.\n    \n\n    \n    \nPopPy \u2014 Implicit Parallelism in Compound AI Applications Extracted at Runtime\n    \n\n      \nDemonstrates that compound AI applications written in sequential Python contain substantial latent parallelism that a runtime can extract without programmer annotation. Mean 2.1x throughput improvement on representative workloads. [ArXiv 2605.18697 \u00b7 2026-05-18]\n      \nApplicable to Merlin's orchestrator multi-child dispatch: sequential agent calls that are data-independent can be parallelized by the runtime rather than requiring explicit async orchestration.\n      \nImplementation approach: introduce a PopPy-style dependency graph at the orchestrator level, letting the blackboard schema define data dependencies that constrain parallelism.\n    \n\n    \n    \nThree-Layer Safety Architecture \u2014 Single Judge Is Categorically Insufficient for LLM Agents\n    \n\n      \nPosition paper with probabilistic analysis argues that a single abstraction layer for LLM agent safety cannot distinguish confident-correct from confident-wrong from adversarially-manipulated outputs. A structurally independent second layer with different evidence basis is required. [ArXiv 2605.18672 \u00b7 2026-05-18]\n      \nDirect implication for Merlin: the Judge operating on agent self-reported output alone is insufficient. An Auditor using OTel span data \u2014 verifying that agents actually called the tools they claim to have called \u2014 constitutes an independent evidence basis and satisfies the paper's architectural requirement.\n      \nThe paper's three layers map to: (1) agent self-reporting, (2) external auditor with different evidence, (3) structural constraints in the environment (blackboard schema, tool permissions).\n    \n    \n\n      \nContext\n      \nAll four papers appeared May 18, 2026. ArXiv rotation window 9 (historical: March 10\u201317, 2026). No historical papers met the significance threshold for this window.\n    \n\n  \n\n\n\n\n  \n\n    \n\n      \n      Merlin Intelligence\n    \n    \nS2 \u00b7 FACTORY-INTERNAL\n  \n  \n\n\n    \n\n      \nBLUF\n      \nToday's ArXiv papers collectively close a loop Merlin hasn't yet closed: code-as-harness for agent dispatch, skill quality benchmarking, and the structural argument that a single Judge layer is insufficient for safe agent operation. The 314-npm supply chain attack adds an immediate operational action item: audit and pin all dependencies in the OpenHands container image.\n    \n\n    \n\n      \nFinding 1 \u2014 Code as Agent Harness [2605.18747] \u00b7 Orchestrator Dispatch Pattern\n      \n\n        What it shows: LLMs orchestrating multi-step tasks achieve substantially higher success rates when they frame subproblem delegation as code execution rather than conversational instruction \u2014 the harness structure enforces sequencing, error capture, and retry logic that prose prompts do not. [ArXiv 2605.18747]\n      \n      \n\n        Merlin component: Orchestrator child agent dispatch via AgentDelegateAction. Currently the orchestrator passes prose skill instructions. This paper argues that wrapping the delegation in a code harness \u2014 with explicit control flow, typed inputs, and structured error returns \u2014 reduces hallucinated skips and out-of-order completions.\n      \n      \n\n        Implementation idea: Replace the prose-instruction delegate pattern with a generated Python scaffold that calls child agents as functions, captures return values onto the blackboard, and handles failures with typed exceptions. The orchestrator generates this harness; the harness runs in OpenHands.\n      \n      \nBuild priority: [HIGH] \u2014 directly addresses the \"agents skip tools\" failure mode visible in OpenHands UI. Zero Golden Rule violations.\n    \n\n    \n\n      \nFinding 2 \u2014 SkillGenBench [2605.18693] \u00b7 SKILL.md Pipeline Quality\n      \n\n        What it shows: The paper benchmarks skill generation pipelines for LLM agents across three dimensions: generalizability (does the skill transfer to new tasks?), executability (does it run without errors?), and improvement rate (does Evolver produce better skills over iterations?). Key finding: pipelines that include a structured validation step \u2014 running the generated skill against at least one held-out test case before committing \u2014 show 2-3x fewer brittle skills in production. [ArXiv 2605.18693]\n      \n      \n\n        Merlin component: Evolver (SKILL.md evolution loop). Merlin currently lacks a structured validation gate between Evolver output and SKILL.md commit.\n      \n      \n\n        Implementation idea: Add a post-generation validation step to the Evolver loop: generate a synthetic test case from the skill's stated purpose, run the new skill against it in a sandboxed OpenHands session, and require a confidence \u226592 pass before committing to SKILL.md. Failed validations feed back as examples to the next Evolver iteration.\n      \n      \nBuild priority: [MEDIUM] \u2014 valuable for Phase 1 closure but not a current blocker. Plan for next sprint.\n    \n\n    \n\n      \nFinding 3 \u2014 Three-Layer Safety [2605.18672] \u00b7 Judge/Auditor Architecture\n      \n\n        What it shows: This position paper argues \u2014 with probabilistic analysis \u2014 that enforcing LLM agent safety within a single abstraction layer is categorically insufficient, not merely suboptimal. The argument: a single Judge operating on agent output cannot distinguish between confident-correct, confident-wrong, and adversarially-manipulated outputs. A second independent layer with a different evidence basis is structurally required. [ArXiv 2605.18672]\n      \n      \n\n        Merlin component: Judge/Auditor verification loop. Merlin uses a single Judge with confidence \u226592 threshold. This paper is a direct challenge to whether that's sufficient.\n      \n      \n\n        Implementation idea: Add an independent Auditor layer that evaluates Judge outputs using a different evidence basis \u2014 specifically, checking OTel span data (did the agent actually call the tools the Judge claims it called?) rather than relying solely on the agent's self-reported output. This is effectively already in the Merlin roadmap; this paper makes the case for prioritizing it.\n      \n      \nBuild priority: [HIGH] \u2014 architectural gap with probabilistic safety implications. The OTel-based auditor is the right implementation and aligns with Golden Rule 2 (Pervasive OTel).\n    \n\n    \n\n      \nFinding 4 \u2014 314 npm Supply Chain Attack \u00b7 Operational Action\n      \n\n        What it shows: 314 npm packages compromised in an active supply chain attack. Attack vector and specific packages not yet disclosed at time of collection. [HackerNews, May 19]\n      \n      \n\n        Merlin component: OpenHands Docker image and any Node.js tooling in the build pipeline. The Merlin factory uses npm for frontend tooling and potentially for generated product scaffolding.\n      \n      \n\n        Implementation idea: Immediate: run npm audit on the OpenHands container image and any Merlin scaffolding packages. Pin all npm dependencies to exact versions with hashed integrity checks in package-lock.json. Consider switching to a private npm mirror with pre-vetted package snapshots for production builds.\n      \n      \nBuild priority: [HIGH] \u2014 operational, not research. Do this before the next factory run.\n    \n\n    \n\n      \nOpen Questions\n      \n\n        \nDoes the code-as-harness pattern require OpenHands to support programmatic error-return capture, or can this be layered above via the blackboard schema?\n        \nIf the three-layer safety argument is correct, what is the minimum independent evidence basis for an Auditor that doesn't double the per-task LLM cost? OTel spans are the obvious answer \u2014 but are they sufficient as a distinct evidence source, or do they suffer from the same adversarial manipulation surface?\n      \n    \n\n  \n\n\n\n\n  \n\n    \n\n      \n      Military / Geopolitical\n    \n    \nS3 \u00b7 OSINT\n  \n  \n\n\n    \n\n      \nBLUF\n      \nIran issued a public threat to interfere with submarine cables in the Strait of Hormuz \u2014 the first explicit statement of this kind and a structural escalation of its coercive posture. Separately, the US suspended the joint defense advisory board with Canada, marking a measurable deterioration in a foundational alliance.\n    \n\n    \nIran Threatens Submarine Cable Interference in Strait of Hormuz\n    \n\n      \nIranian officials issued a public statement hinting at the ability and willingness to disrupt submarine communications cables passing through the Strait of Hormuz in response to US pressure. [The Register \u00b7 2026-05-19]\n      \nThe Strait of Hormuz carries a significant fraction of global submarine cable traffic between Europe, Asia, and the Gulf states. Disruption would affect internet connectivity across the Middle East and portions of South Asia.\n      \nThis is a qualitative escalation: Iran has threatened oil shipping before; threatening communications infrastructure targets a different category of critical systems and signals broader coercive reach.\n      \nNo disruption has occurred. The statement is assessed as a coercive signal rather than an imminent operational threat \u2014 but the explicit nature of the statement represents a new threshold.\n    \n    \n\n      \nContext\n      \nSubmarine cable disruption has been used previously by Russia (Baltic Sea, 2024) and suspected Houthi activity in the Red Sea (2024). Iran publicly claiming this capability in the Hormuz context signals awareness of the tactic's leverage. US-Iran nuclear negotiations remain ongoing and unresolved.\n    \n    \n\n      \nOpen Questions\n      \n\n        \nIs this a negotiating signal tied to nuclear talks, or a longer-term shift in Iran's coercive toolkit?\n        \nWhat redundant cable routing exists for Gulf-to-Asia traffic that would mitigate a Hormuz disruption?\n      \n    \n\n    \nUS Suspends Joint Defense Advisory Board with Canada\n    \n\n      \nThe Pentagon's policy chief announced Monday that the United States suspended the joint defense advisory board with Canada. [Pentagon / NOTUS \u00b7 2026-05-18]\n      \nThe move was described as a response to Canadian political developments following the Carney government's election. It represents a formal institutional suspension, not a routine postponement.\n      \nThe Canada-US defense relationship encompasses NORAD, Arctic monitoring, and joint continental defense architecture. A suspended advisory board does not immediately degrade operational capability, but signals political intent to reduce coordination.\n      \nThis follows other recent US-Canada friction including tariff disputes and the 51st-state rhetoric from the Trump administration.\n    \n    \n\n      \nContext\n      \nThe Trump administration has applied similar pressure to other close allies including Denmark (Greenland), Panama (canal access), and the EU (trade). Canada represents a different tier \u2014 a direct continental neighbor with deeply integrated defense infrastructure. Suspension of formal advisory mechanisms is the first measurable institutional step beyond rhetoric.\n    \n\n  \n\n\n\n\n  \n\n    \n\n      \n      US News\n    \n    \nS4 \u00b7 DOMESTIC\n  \n  \n\n\n    \n\n      \nBLUF\n      \nThe Musk v. OpenAI lawsuit was dismissed by jury in under two hours, clearing the principal legal challenge to OpenAI's non-profit-to-capped-profit governance conversion and removing a significant overhang on OpenAI's restructuring timeline.\n    \n\n    \nUpdate: Musk Loses OpenAI Lawsuit After Less Than Two Hours of Jury Deliberation\n    \n\n      \nA jury dismissed Elon Musk's lawsuit against Sam Altman and OpenAI after less than two hours of deliberation. The trial had centered on whether Musk's early contributions constituted a binding agreement that OpenAI remain a non-profit. [TomHardware \u00b7 2026-05-18]\n      \nThe speed of the verdict \u2014 under two hours \u2014 signals the jury found the core claims insufficiently supported, not merely a close call.\n      \nOpenAI's governance conversion from non-profit to capped-profit structure now faces no active major legal challenge in US courts. The California AG review of the conversion terms remains a separate administrative process.\n      \nMusk's xAI continues as a competing AI lab; the lawsuit's dismissal does not change competitive dynamics but removes a source of legal and reputational drag on OpenAI's fundraising and governance roadmap.\n    \n    \n\n      \nContext\n      \nThe briefing noted on May 13 that the trial was entering final days with Altman's \"trust\" as the central question. The verdict follows that trajectory \u2014 the jury accepted OpenAI's argument that no legally binding agreement was violated. OpenAI has been seeking to complete its capped-profit restructuring to enable institutional investment at scale. This ruling removes the most significant legal obstacle to that process.\n    \n    \n\n      \nOpen Questions\n      \n\n        \nDoes Musk appeal, or does this effectively close the legal chapter and redirect his attention to regulatory or regulatory-adjacent pressure on OpenAI?\n        \nHow quickly does OpenAI move to finalize the governance restructuring now that the lawsuit is resolved?\n      \n    \n\n  \n\n\n\n\n  \n\n    \n\n      \n      Economic\n    \n    \nS5 \u00b7 FRED + NPM\n  \n  \n\n\n    \n\n      \nBLUF\n      \nMacro indicators show a softening-but-stable picture: yield curve normalizing (T10Y2Y at +0.54), VIX at 18.4 (contained), HY credit spread historically tight at 2.80. Supabase-js growth rate slightly below weekly pace (0.88x) while Prisma, Drizzle, and Convex are all accelerating. Drizzle continues to close the gap.\n    \n\n    \nFRED INDICATORS \u2014 WEEK OF MAY 19, 2026\n\n    \n\n      \n\n        \n          \n            Series\n            Definition\n            Latest\n            Date\n            Signal\n          \n        \n        \n          \n            T10Y2Y\n            10Y minus 2Y Treasury spread. Positive = normal curve; negative = inverted (recession signal).\n            +0.54\n            2026-05-18\n            Curve normalizing from inversion. No recession signal.\n          \n          \n            VIXCLS\n            CBOE VIX. Market's 30-day implied volatility expectation. Below 20 = calm; above 30 = stress.\n            18.43\n            2026-05-15\n            Within normal range. Moderate uncertainty, no regime stress.\n          \n          \n            SOFR\n            Secured Overnight Financing Rate. Effective short-term borrowing benchmark replacing LIBOR.\n            3.55%\n            2026-05-15\n            Stable. Fed holding at current rate.\n          \n          \n            BAMLH0A0HYM2\n            HY OAS Spread. High-yield bond spread over Treasuries. Measures credit risk appetite. Normal <400bps; stress >600bps.\n            2.80%\n            2026-05-15\n            Historically tight. Markets pricing low default risk. Credit conditions favorable.\n          \n          \n            ICSA\n            Initial Jobless Claims. Weekly new unemployment filings. Baseline 200\u2013250K.\n            211K\n            2026-05-09\n            Slight uptick from 199K prior week. Within normal range; no trend signal yet.\n          \n          \n            WM2NS\n            M2 Money Supply (NSA). Broad money including checking, savings, money market. Indicator of liquidity conditions.\n            $23,115B\n            2026-04-06\n            Growing from $22,884B. Liquidity expanding.\n          \n        \n      \n    \n\n    \nNPM ECOSYSTEM \u2014 WEEKLY DOWNLOADS\n\n    \n\n      \n\n        \n          \n            Package\n            Weekly\n            Monthly\n            Growth Rate\n            Signal\n          \n        \n        \n          \n            @supabase/supabase-js\n            16,054,383\n            78,908,474\n            0.88x\n            Below weekly pace. Watch for trend.\n          \n          \n            prisma\n            12,672,305\n            46,561,166\n            1.18x\n            Accelerating. Gap with supabase-js narrowing.\n          \n          \n            drizzle-orm\n            9,524,885\n            35,332,974\n            1.17x\n            Strong acceleration. Fastest-growing ORM.\n          \n          \n            firebase\n            7,589,108\n            29,543,351\n            1.11x\n            Steady growth. Firebase still relevant.\n          \n          \n            aws-sdk\n            9,992,852\n            38,612,957\n            1.12x\n            Stable enterprise baseline.\n          \n          \n            convex\n            726,678\n            2,620,539\n            1.20x\n            Highest growth rate. Small base but accelerating sharply.\n          \n          \n            @neondatabase/serverless\n            1,965,051\n            7,536,835\n            1.13x\n            Neon growing faster than supabase-js weekly rate.\n          \n          \n            @planetscale/database\n            195,496\n            822,018\n            1.03x\n            Flat. PlanetScale stalled since pricing changes.\n          \n        \n      \n    \n\n    \n\n      \nInterpretation\n      \nSupabase-js at 16M weekly is still the largest developer database client, but its 0.88x growth rate means it is running slightly below its own monthly average pace \u2014 a possible seasonal artifact or early signal of competitor acceleration. Prisma (1.18x) and Drizzle (1.17x) are both above their own monthly pace, meaning momentum is building. Convex at 1.20x is the outlier; small absolute numbers but the highest growth rate in the table. PyPI data unavailable this cycle (rate-limited).\n    \n\n  \n\n\n\n\n  \n\n    \n\n      \n      Technology\n    \n    \nS6 \u00b7 INDUSTRY\n  \n  \n\n\n    \n\n      \nBLUF\n      \nAnthropic acquired a dev tools startup previously used by OpenAI, Google, and Cloudflare \u2014 a direct move into developer infrastructure that shifts competitive dynamics in the AI tooling layer. OpenAI simultaneously announced an enterprise Codex deployment partnership with Dell, extending its footprint into on-premise environments where Supabase has limited reach.\n    \n\n    \nLEAD: Anthropic Acquires Developer Tools Startup Used by OpenAI, Google, and Cloudflare\n    \n\n      \nAnthropic confirmed the acquisition of a developer tools startup whose products were previously used by OpenAI, Google, and Cloudflare. Specific terms and the startup's name were not disclosed in initial reporting. [TechCrunch \u00b7 2026-05-18]\n      \nThe acquisition places Anthropic directly in the developer infrastructure layer \u2014 a market segment previously served by independent tools that competed on neutrality across AI providers.\n      \nSupabase relevance: Supabase operates in the developer infrastructure space (database + auth + edge functions). An Anthropic-owned developer tools company with enterprise relationships at Google and Cloudflare scale represents a new category of competitor \u2014 one with AI-native defaults and a distribution moat via Claude API customers.\n      \nFor Merlin specifically: if the acquired tooling includes orchestration or deployment primitives, it could compete directly with the OpenHands + Claude Code workflow Merlin is built on.\n    \n    \n\n      \nContext\n      \nAnthropic has been primarily a model provider. This acquisition signals a move toward vertical integration into the developer workflow layer \u2014 the same strategic direction OpenAI has pursued with Codex CLI, Cursor partnerships, and now the Dell enterprise deal. The specific startup and its product surface will determine the competitive impact. Watch for Anthropic announcements in the days following the acquisition close.\n    \n    \n\n      \nOpen Questions\n      \n\n        \nWhich startup was acquired, and what is its core product surface \u2014 IDE integration, CI/CD, observability, or something else?\n        \nDoes Anthropic integrate the tooling into Claude.ai or Claude API, or does it operate as a standalone product?\n      \n    \n\n    \nOpenAI and Dell Partner to Bring Codex to Hybrid and On-Premise Enterprise\n    \n\n      \nOpenAI and Dell announced a partnership to deploy Codex in hybrid and on-premise enterprise environments, extending AI coding assistance to organizations with data residency and air-gap requirements. [OpenAI \u00b7 2026-05-18]\n      \nThis is the first Codex deployment targeting infrastructure-constrained enterprises \u2014 a segment that has resisted SaaS AI tools due to compliance requirements.\n      \nOn-premise Codex running on Dell infrastructure means OpenAI gains enterprise relationships without requiring data to leave customer environments. Competitive implication for GitHub Copilot Enterprise, which has had this market largely to itself.\n      \nSupabase angle: enterprises adopting on-premise Codex will have AI-assisted development workflows that naturally point toward cloud-hosted databases. Supabase's enterprise tier and self-hosted option are relevant here, but the default path is likely toward OpenAI-adjacent infrastructure.\n    \n\n    \nTech Layoff Wave 2026: 138,837 Roles Eliminated at 324 Companies\n    \n\n      \nAs of May 2026, 324 tech companies have conducted layoffs affecting 138,837 employees. Cisco confirmed 4,000 positions cut. Meta layoffs reported beginning this week. [Layoffs.fyi / TechCrunch \u00b7 2026-05-18\u201319]\n      \nThe pace is elevated relative to the 2025 baseline but below the 2023 peak. Pattern: companies reducing non-AI headcount while increasing AI infrastructure spend \u2014 consistent with the \"fewer engineers, more compute\" operating model shift.\n      \nHiring environment implication for Supabase: senior infrastructure and database engineering talent is available at lower competition pressure than 2021\u20132022. Developer tool adoption typically accelerates during periods of engineering team consolidation as productivity-per-engineer metrics become more important.\n    \n\n  \n\n\n\n\n  \n\n    \n\n      \n      Cybersecurity\n    \n    \nS7 \u00b7 THREAT INTEL\n  \n  \n\n\n    \n\n      \nBLUF\n      \n314 npm packages were compromised in an active supply chain attack \u2014 the largest npm-specific campaign since the LiteLLM incident. CISA KEV recorded no new additions in the past 24 hours. NGINX CVE-2026-42945 is confirmed exploited in the wild with a 9.3 CVSS score SQL injection companion vulnerability.\n    \n\n    \nLEAD: 314 npm Packages Compromised \u2014 Mini Shai-Hulud Supply Chain Attack\n    \n\n      \nAn active supply chain attack \u2014 referred to as \"Mini Shai-Hulud Strikes Again\" on HackerNews \u2014 has compromised 314 npm packages. The specific packages and attack vector were not publicly disclosed at time of collection. [HackerNews \u00b7 2026-05-19]\n      \n314 packages represents a large-scale coordinated compromise, not an isolated incident. The \"Strikes Again\" framing indicates this is a recurrence of a previously observed campaign or actor.\n      \nDeveloper ecosystem risk: any project with transitive dependencies on compromised packages is potentially affected. Supply chain attacks at this scale typically target packages with millions of downstream consumers.\n      \nImmediate action: run npm audit on all active projects. Check npm advisory database for the specific package list when disclosed. Pin dependencies to exact versions with integrity hashes.\n      \nMerlin-specific: the OpenHands Docker image and Merlin's product scaffold generators use npm. Audit before next factory run.\n    \n    \n\n      \nContext\n      \nThe prior \"Shai-Hulud\" campaign (referenced by the \"Again\" framing) targeted developer tooling packages. The LiteLLM supply chain attack covered in the May 16 briefing involved a different vector (PyPI/Python). This is a parallel npm-specific campaign. npm supply chain attacks have historically been used for credential harvesting, crypto mining injection, and in advanced cases, persistent backdoors in generated code artifacts.\n    \n\n    \nNGINX CVE-2026-42945 Exploited in the Wild \u2014 Worker Crashes and Possible RCE\n    \n\n      \nCVE-2026-42945 affecting NGINX is confirmed exploited in the wild, causing worker process crashes and potentially enabling code execution. A companion SQL injection vulnerability CVE-2026-28516 (CVSS 9.3) was disclosed alongside it. [DailyCVE / Brave Search \u00b7 2026-05-18]\n      \nNGINX is widely deployed as a reverse proxy and load balancer in cloud-native and self-hosted infrastructure including Supabase self-hosted deployments.\n      \nCISA KEV did not add either CVE in the past 24 hours \u2014 CISA KEV total remains at 1,592 entries as of May 19. Check for KEV addition in subsequent days.\n      \nRecommended action: review NGINX version in any self-hosted or edge infrastructure and apply patches when available. The companion SQL injection CVE warrants immediate attention given CVSS 9.3.\n    \n\n    \n\n      \nCISA KEV \u2014 New Additions (Last 24h)\n      \nNo new entries added to the Known Exploited Vulnerabilities catalog in the past 24 hours. Total catalog: 1,592 entries as of 2026-05-19.\n    \n\n  \n\n\n\n\n  \n\n    \n\n      \n      Analysis\n    \n    \nS13 \u00b7 SYNTHESIS\n  \n  \n\n\n    \n\n      \nStructural Reads\n      \n\n        \nThe Anthropic acquisition of a cross-lab developer tools startup is probably the most structurally significant event of the week. It signals that Anthropic has concluded the model API layer alone is insufficient \u2014 that distribution requires owning developer workflow touchpoints. This is the same strategic logic that drove OpenAI toward Codex CLI, the Dell enterprise partnership, and operator embedding. The pattern across labs now: model commoditization is accelerating faster than anyone projected, so the value migration is moving up-stack into tooling, workflow integration, and developer identity. For Supabase, the acquisition raises a question that did not exist six months ago: if the developer tools layer consolidates under AI companies, does Supabase's infrastructure-neutral position become a competitive advantage (works with everything) or a liability (no model distribution flywheel)?\n\n        \nThe 314-npm supply chain attack and the NGINX CVE-2026-42945 exploitation arrive in the same 24-hour window as the Anthropic acquisition \u2014 not causally related, but thematically coherent. Developer infrastructure is now a primary attack surface. The prior briefing covered the LiteLLM Python supply chain compromise; this briefing covers an npm campaign. The cadence suggests a sustained adversarial focus on the developer tooling layer specifically, not random opportunism. Organizations that have not pinned dependencies and implemented integrity verification are running elevated risk during an active campaign period.\n\n        \nIran's submarine cable threat in the Strait of Hormuz is worth tracking separately from its nuclear-talks context. The explicit public statement \u2014 regardless of intent \u2014 establishes a new escalation reference point. If Iran perceives that threatening communications infrastructure carries low cost and high coercive value, the tactic will recur. The Red Sea cable disruptions of 2024 demonstrated that submarine cable attacks are feasible and that restoration timelines are measured in weeks, not days. A Hormuz disruption would have different geographic scope but similar operational logic.\n\n        \nThe yield curve normalization (T10Y2Y at +0.54) combined with historically tight HY credit spreads (2.80%) and contained VIX (18.4) describes a macro environment that is neither stressed nor euphoric. Developer tool adoption typically tracks with enterprise software budgets, which track with credit availability. The current macro reads as \"favorable but not accelerating\" \u2014 a backdrop where execution quality matters more than market tailwinds.\n      \n    \n\n    \n\n      \nMerlin Synthesis\n      \n\n        Today's ArXiv cluster is unusually coherent: three papers address the same architectural gap from different angles \u2014 that the current orchestrator pattern (prose delegation + single judge) has measurable failure modes that structured alternatives can reduce. The code-as-harness paper (2605.18747) addresses the dispatch layer; the three-layer safety paper (2605.18672) addresses the verification layer; SkillGenBench (2605.18693) addresses the skill quality layer. These are not independent research threads \u2014 they triangulate on the same system-level problem. The probability that all three are wrong in their core claims is low. The implication: the Phase 1 factory closure plan should include at minimum the OTel-based Auditor (independent verification layer) and a pre-commit skill validation gate before the next major Evolver run. The code-as-harness pattern is likely a [HIGH] sprint item once the OpenHands upgrade plan is resolved. The 314-npm attack also warrants an immediate dependency audit before the next factory run \u2014 this is operational, not optional.\n      \n    \n\n  \n\n\n    \n\n\n\n\n    \n\n        \n\n            \nGenerated\n            \n2026-05-19T08:15:00-07:00\n        \n        \n\n            \nArXiv Window\n            \n9 / 13 \u00b7 Historical: 2026-03-10 to 2026-03-17\n        \n        \n\n            \nSections\n            \n8 included \u00b7 5 omitted\n        \n        \n\n            \nLeads\n            \n2 \u00b7 Includes: 9 \u00b7 Merlin findings: 4\n        \n        \n\n            \nDropped\n            \nStale: 3 \u00b7 Dedup: 2\n        \n        \n\n            \nData Sources\n            \nRSS: 18/18 \u00b7 FRED: 14/14 \u00b7 Brave: 13/44 (rate-limited) \u00b7 npm: 8/8 \u00b7 CISA KEV: OK \u00b7 Weather: OK\n        \n        \n\n            \nAudio\n            \nPending TTS generation\n        \n    \n\n\n\n", "creation_timestamp": "2026-05-19T08:28:51.000000Z"}, {"uuid": "5f51f64c-7cc8-4b4f-900c-75474e33df87", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/decio/statuses/116600348345397141", "content": "[Related]L'exploitation sur internet de CVE-2026-42945  aka NGINX RIFT https://depthfirst.com/nginx-rift  aurait commenc\u00e9 selon VulnCheck \u2b07\ufe0f \"Exploitation of Critical NGINX Vulnerability Begins\"\"The flaw leads to denial-of-service on default configurations and to remote code execution if ASLR is disabled.\"\"Shortly after F5 released patches for the bug, Depthfirst published technical details and proof-of-concept (PoC) code targeting it. Now, VulnCheck says threat actors are already exploiting the issue in attacks.\n\u201cWe\u2019re seeing active exploitation of CVE-2026-42945 in F5 NGINX, a heap buffer overflow affecting both NGINX Plus and NGINX Open Source on VulnCheck Canaries just days after the CVE was published,\u201d VulnCheck researcher Patrick Garrity warned. ( https://www.linkedin.com/posts/patrickmgarrity_cybersecurity-threatintelligence-riskmanagement-share-7461369931851517952-PBjV/ ) \"\ud83d\udc47 https://www.securityweek.com/exploitation-of-critical-nginx-vulnerability-begins\n#CyberVeille  #NGINXRift", "creation_timestamp": "2026-05-19T08:42:00.537759Z"}, {"uuid": "7da51d69-d073-4df3-83c9-6f28e338496e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/timb_machine/statuses/116600044786237419", "content": "CVE-2026-42945 looks nasty:\nhttps://github.com/DepthFirstDisclosures/Nginx-Rift\n#threatintel, #nginx", "creation_timestamp": "2026-05-19T08:43:44.763093Z"}, {"uuid": "9696ccb3-738d-48c4-a62a-ae24a33ec37b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/deafnews-auto.bsky.social/post/3mm73wur5ds2s", "content": "NGINX Rift Under Active Exploitation: A Technical Analysis of CVE-2026-42945", "creation_timestamp": "2026-05-19T09:41:17.135578Z"}, {"uuid": "bbb07a7a-81f5-410f-ad5a-457939f65740", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mm7bfzfq532i", "content": "Critical NGINX Vulnerability CVE-2026-42945 Now Under Active Attack", "creation_timestamp": "2026-05-19T11:18:53.365220Z"}, {"uuid": "f4dbf8b8-7488-4a5e-86dd-b0aa43b923dd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/getpacketai.bsky.social/post/3mm7c2knos22q", "content": "Critical NGINX flaw (CVE-2026-42945) already under active exploitation in the wild. CVSS 9.2 heap buffer overflow could crash workers or enable RCE\u2014patch your 0.6.27\u20131.30.0\u2026\n\nhttps://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html\n\n#cybersecurity #infosec", "creation_timestamp": "2026-05-19T11:30:20.462379Z"}, {"uuid": "69334776-7302-4ab5-9b7a-f7a63120687d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hacker.at.thenote.app/post/3mm7g5kjakk2g", "content": "Attackers are exploiting critical NGINX vulnerability (CVE-2026-42945)\n\nA critical NGINX vulnerability (CVE-2026-42945) disclosed last week is being exploited by attackers, VulnCheck security researcher Patrick Garrity revealed on Saturday. The vulnerability, dubbed NGINX Rift, ca\u2026\n#hackernews #news", "creation_timestamp": "2026-05-19T12:43:37.772153Z"}, {"uuid": "0c4f21e3-7cfe-4c2d-b364-e052e594fa49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://ccb.belgium.be/advisories/warning-multiple-vulnerabilities-nginx-leading-remote-code-execution-and-allowing-rate", "content": "", "creation_timestamp": "2026-05-19T08:05:32.000000Z"}, {"uuid": "057a7243-1922-4bb4-88bd-2ddf0bca2af7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/diesec.bsky.social/post/3mma2etv6vz2r", "content": "CVE-2026-42945 (CVSS 9.2): 18-year-old heap overflow in NGINX rewrite module \u2014 now actively exploited. Affects every NGINX version from 0.6.27 to 1.30.0. Attackers use AI scanning to find vulnerable instances at scale. Update immediately.\n\n#CyberSecurity #NGINX", "creation_timestamp": "2026-05-19T18:45:37.140020Z"}, {"uuid": "5c99d3cc-d06d-44be-89a2-149462bb4904", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/Kubernetes.activitypub.awakari.com.ap.brid.gy/post/3mma677tdpep2", "content": "\ud83d\udea9 Critical \u201cNGINX Rift\u201d vulnerability enables unauthenticated DoS and potential RCE through rewrite module misconfiguration Critical \u201cNGINX Rift\u201d flaw (CVE-2026-42945) enables unauthenti...\n\n#TIGR #vulnerability\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-19T19:54:05.436257Z"}, {"uuid": "cb17db56-60c8-48bb-90f9-002fba6daa1a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/happy-homhom.bsky.social/post/3mmapsahzq72q", "content": "NGINX\u306e\u6df1\u523b\u306a\u8106\u5f31\u6027\u300cCVE-2026-42945\u300d\u3092\u7a81\u304fPoC\u516c\u958b\u3001\u4f55\u304c\u8d77\u304d\u308b\u306e\u304b\u3092\u3084\u3055\u3057\u304f\u89e3\u8aac\nhttps://papoo.work/doc/a02e47991ba665ef", "creation_timestamp": "2026-05-20T01:08:54.055819Z"}, {"uuid": "2a666101-38b8-41ec-8276-e2b3b3d5016c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/technoholic.bsky.social/post/3mmaxolen4r2n", "content": "A critical flaw in NGINX (CVE-2026-42945, CVSS 9.2) is actively exploited. It affects versions 0.6.27 to 1.30.0 via heap buffer overflow in ngx_http_rewrite_module. Update now!", "creation_timestamp": "2026-05-20T03:30:01.007380Z"}, {"uuid": "78e323ac-3d9a-48c5-8524-a48604d8131a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/kitafox.bsky.social/post/3mmazdyobk42f", "content": "NGINX\u306e\u8106\u5f31\u6027\uff1a18\u5e74\u524d\u304b\u3089\u5b58\u5728\u3059\u308b\u91cd\u5927\u306a\u6b20\u9665CVE-2026-42945\u304c\u60aa\u7528\u3055\u308c\u3001\u30b5\u30fc\u30d0\u30fc\u304c\u30af\u30e9\u30c3\u30b7\u30e5\u3059\u308b\u4e8b\u614b\u304c\u767a\u751f \n\nNGINX Rift: Critical 18-Year-Old Flaw CVE-2026-42945 Actively Exploited to Crash Servers  #DailyCyberSecurity (May 19)\n\nsecurityonline.info/nginx-rift-v...", "creation_timestamp": "2026-05-20T03:59:53.867174Z"}, {"uuid": "39734076-263a-4220-a889-595ca183310e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/modat-io.bsky.social/post/3mm7523waw22z", "content": "\u26a0\ufe0f CVE-2026-42945 (CVSS 9.2): NGINX heap overflow in ngx_http_rewrite_module (\u22641.30.0) is actively being exploited in the wild. Crafted HTTP requests via rewrite/if/set PCRE \u201c?\u201d can crash workers and may lead to RCE (ASLR off). Patch now to Nginx 1.31.0 or 1.30.1. Query: technology=\"Nginx\"", "creation_timestamp": "2026-05-19T10:00:44.624790Z"}, {"uuid": "dad46afa-c19c-4f17-b5bf-54e4aca79a88", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/undercode.bsky.social/post/3mm763xdw3m2o", "content": "CVE-2026-42945 (CVSS 92): The 18-Year-Old NGINX Rift Heap Overflow \u2013 Full RCE PoC & Mitigation Guide +\u00a0Video\n\nIntroduction: A heap buffer overflow vulnerability codenamed \"NGINX Rift\" (CVE-2026-42945) has been discovered in the widely used `ngx_http_rewrite_module` of NGINX, affecting all versions\u2026", "creation_timestamp": "2026-05-19T10:19:32.730450Z"}, {"uuid": "8080b79d-9bad-42ba-8de1-b54e5ef0d931", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mm7ih6vuosm2", "content": "NGINX CVE-2026-42945 Under Active Exploitation After F5 Patch Drop VulnCheck confirmed in-the-wild exploitation of NGINX CVE-2026-42945, a critical heap overflow, within days of F5's patch; 5.7...\n\n#Resources #Application #Security #CVE #Vulnerability [\u2026] \n\n[Original post on dailysecurityreview.com]", "creation_timestamp": "2026-05-19T13:24:48.506286Z"}, {"uuid": "e4cc7eff-3216-41b3-9027-18e6fa5ea3e6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/thedailytechfeed.com/post/3mm7oofheum2b", "content": "Urgent: Critical NGINX vulnerability (CVE-2026-42945) under active exploitation. Update to NGINX 1.31.1/1.30.1 immediately. #CyberSecurity #NGINX #CVE202642945 Link: thedailytechfeed.com/critical-ngi...", "creation_timestamp": "2026-05-19T15:16:11.807392Z"}, {"uuid": "b9c10627-1817-4452-900f-b5d849a9c27f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "exploited", "source": "https://t.me/xakep_ru/19396", "content": "\u0417\u0430\u0444\u0438\u043a\u0441\u0438\u0440\u043e\u0432\u0430\u043d\u044b \u043f\u0435\u0440\u0432\u044b\u0435 \u0441\u043b\u0443\u0447\u0430\u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0441\u0432\u0435\u0436\u0435\u0433\u043e \u0431\u0430\u0433\u0430 \u0432 NGINX\n\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0430\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-42945 \u0432 NGINX, \u043f\u043e\u043b\u0443\u0447\u0438\u0432\u0448\u0430\u044f \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 NGINX Rift, \u0443\u0436\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0432 \u0440\u0435\u0430\u043b\u044c\u043d\u044b\u0445 \u0430\u0442\u0430\u043a\u0430\u0445. \u041f\u043e \u0434\u0430\u043d\u043d\u044b\u043c \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u0438\u0441\u0442\u043e\u0432 \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0438 VulnCheck, \u043f\u043e\u043f\u044b\u0442\u043a\u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u043d\u0430\u0447\u0430\u043b\u0438\u0441\u044c \u0431\u0443\u043a\u0432\u0430\u043b\u044c\u043d\u043e \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0434\u043d\u0435\u0439 \u043f\u043e\u0441\u043b\u0435 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438 CVE \u0438 \u0432\u044b\u0445\u043e\u0434\u0430 \u043f\u0430\u0442\u0447\u0435\u0439.\n\nhttps://xakep.ru/2026/05/19/cve-2026-42945-attacks/", "creation_timestamp": "2026-05-19T15:36:39.000000Z"}, {"uuid": "606622be-c701-4814-a515-9de290badc89", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://infosec.exchange/users/obivan/statuses/116603263933186294", "content": "PoC for Nginx RCE (CVE-2026-42945) with ASLR enabled https://github.com/Hamid-K/nginx-rift-private-lab", "creation_timestamp": "2026-05-19T21:03:28.669063Z"}, {"uuid": "9216a981-4400-4826-8f5b-69a57e81685e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/obivan.infosec.exchange.ap.brid.gy/post/3mmac3j4edip2", "content": "PoC for Nginx RCE (CVE-2026-42945) with ASLR enabled https://github.com/Hamid-K/nginx-rift-private-lab", "creation_timestamp": "2026-05-19T21:04:14.826756Z"}, {"uuid": "28863afd-b064-4e40-9d65-f7fe60e81344", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mmaueesnqq2x", "content": "Top 3 CVE for last 7 days:\nCVE-2026-42897: 56 interactions\nCVE-2026-46300: 56 interactions\nCVE-2026-42945: 50 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-31635: 9 interactions\nCVE-2026-42945: 8 interactions\nCVE-2026-41054: 4 interactions\n", "creation_timestamp": "2026-05-20T02:30:37.561798Z"}, {"uuid": "b24d1abb-f859-4e6f-aee7-92eed77b9394", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/AMxmfUF4ewnzD7lMn6F-NG7YppsQsWodDT8ioiY0udlXjVPS", "content": "", "creation_timestamp": "2026-05-21T18:44:33.000000Z"}, {"uuid": "dce8ab07-2b5b-4178-a6ba-19f0b1996564", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3mmbahkja7s2w", "content": "\ud83d\udccc NGINX Vulnerability CVE-2026-42945 Actively Exploited in the Wild https://www.cyberhub.blog/article/26192-nginx-vulnerability-cve-2026-42945-actively-exploited-in-the-wild", "creation_timestamp": "2026-05-20T06:07:10.514636Z"}, {"uuid": "95338f72-c27e-4905-be69-4a200c24198b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://www.govcert.gov.hk/en/alerts_detail.php?id=1871", "content": "", "creation_timestamp": "2026-05-13T21:00:00.000000Z"}, {"uuid": "4a8f8035-3b71-4551-acfd-f336370e4d96", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/opsmatters.com/post/3mmdn43gylt2q", "content": "The latest update for #CyCognito includes \"Emerging Threat: (CVE-2026-42945) NGINX Rift Heap Overflow in Rewrite Module\" and \"Emerging Threat: (CVE-2026-20182) Cisco Catalyst SD-WAN Authentication Bypass\".\n \n#cybersecurity #AttackSurfaceManagement #EASM https://opsmtrs.com/44Srq0X", "creation_timestamp": "2026-05-21T04:58:41.809346Z"}, {"uuid": "f47f0bec-b4c7-4e2e-95ae-8175d708fce8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/84927", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #Exploit #RCE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-42945-NGINX-Rift-Toolkit\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a gagaltotal\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-20 07:39:53\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2026-42945 - NGINX Rift Toolkit\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-20T07:42:18.000000Z"}, {"uuid": "313ed570-07b6-4196-8041-b909046bda63", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mmbm5ejovwz2", "content": "Critical NGINX Vulnerability CVE-2026-42945 Now Under Active Attack Cybersecurity researchers are warning that attackers have already started exploiting a newly disclosed NGINX vulnerability, trac...\n\n#Firewall #Daily #Cyber #News #Vulnerabilities [\u2026] \n\n[Original post on thecyberexpress.com]", "creation_timestamp": "2026-05-20T09:36:20.910212Z"}, {"uuid": "23b2a61f-c00c-4808-b4ab-adea0a465cac", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://www.govcert.gov.hk/en/alerts_detail.php?id=1881", "content": "", "creation_timestamp": "2026-05-19T21:00:00.000000Z"}, {"uuid": "4bf493a5-08e1-442f-bab1-1a06d29a4f62", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/hackmag.com/post/3mmbu6mtlck2i", "content": "\ud83d\udfe2 18-year-old vulnerability in NGINX leads to remote code execution\n\n\ud83d\udde8\ufe0f Researchers from DepthFirst AI have discovered a critical vulnerability in NGINX, CVE-2026-42945, which scored 9.2 on th\u2026\n\n#news", "creation_timestamp": "2026-05-20T12:00:05.058922Z"}, {"uuid": "ab7079ae-06ae-49a7-a5a0-d27cc26ae6b6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/pentest-tools.com/post/3mmbxzcxs5k2z", "content": "\ud83d\udea8 Worried about your #NGINX web servers? \ud83d\udc49We built a *free* scanner for CVE-2026-42945 (NGINX Rift)!\ud83d\udc47\n\nCheck your targets now (no account required): pentest-tools.com/network-vuln... \n\nOnce the scan completes (if your target is vulnerable), you'll get a finding that includes: \n\n\ud83d\udc47\ud83d\udc47\ud83d\udc47\ud83d\udc47\ud83d\udc47", "creation_timestamp": "2026-05-20T13:08:45.829018Z"}, {"uuid": "e150e1f9-28b5-45d2-821b-eafbd1a4ef92", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/pentest-tools.com/post/3mmbxzgchac2z", "content": "\ud83d\udea8 Worried about your #NGINX web servers? \ud83d\udc49We built a *free* scanner for CVE-2026-42945 (NGINX Rift)!\ud83d\udc47\n\nCheck your targets now (no account required): pentest-tools.com/network-vuln... \n\nOnce the scan completes (if your target is vulnerable), you'll get a finding that includes: \n\n\ud83d\udc47\ud83d\udc47\ud83d\udc47\ud83d\udc47\ud83d\udc47", "creation_timestamp": "2026-05-20T13:08:46.495706Z"}, {"uuid": "14f0e28b-fbe9-41ce-88e8-ea29114fa8df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/TE3YqlNh8Lh7HQBLppGqA0QLdQWZtjPwFCYattexDyR1ga0", "content": "", "creation_timestamp": "2026-05-18T15:00:14.000000Z"}, {"uuid": "2864e9f4-db15-4f38-9bf9-7d574f1d71b6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/-GtOjHLopjI3IaP_VfvZorB58d5FmtAfesT4Onu4QlAoHy4", "content": "", "creation_timestamp": "2026-05-19T03:00:11.000000Z"}, {"uuid": "331b4086-5dd1-4484-874a-cf0dccac6ca6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/SCHrRkpCF0pkwO9cZRSDiWfzSKGCwL3xFSMVyArhFg6QVc0", "content": "", "creation_timestamp": "2026-05-19T15:00:15.000000Z"}, {"uuid": "73184c49-9c82-49e7-8b35-743d172a286e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/SM41ZgDjE5GCx8_K5BndOjKQZfdnq7khstyXQtIQ9aWd83s", "content": "", "creation_timestamp": "2026-05-19T21:00:04.000000Z"}, {"uuid": "8667c698-3ebe-4702-a417-694a9f3bfc49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/hzv6ufhcPbJBr7JIKKcVNglOkNG1gMbHubCrH0NP1aUauYA", "content": "", "creation_timestamp": "2026-05-20T11:00:10.000000Z"}, {"uuid": "15b74625-8cd8-4308-9c54-e0537ea76af0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/LRuVHO_NRtLslMv_pxl3JYoJM5ygIHd_ktikilExPtpHxGM", "content": "", "creation_timestamp": "2026-05-20T15:00:07.000000Z"}, {"uuid": "b49b76dc-595a-4dab-81cf-1ad6512dd783", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "Telegram/EUsL0GBkk0Vgc4QR4rSrAW23hhvDTc4r4ZLNoVXnBNt04Fk", "content": "", "creation_timestamp": "2026-05-20T19:00:11.000000Z"}, {"uuid": "efa57a9f-6553-4964-9a73-98817c57213a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://bsky.app/profile/almalinux.org/post/3mmesomo3lk24", "content": "\ud83d\udea8 nginx has a critical vuln hiding in it for 18 years. \n\nWe patched it across AlmaLinux 8, 9, 10 & Kitten\u2014including EOL streams\u2014before upstream did.\n\nDetails on our blog. \ud83d\udc49 https://almalinux.org/blog/2026-05-13-nginx-rift-cve-2026-42945/?utm_medium=social&utm_source=bluesky", "creation_timestamp": "2026-05-21T16:11:12.630684Z"}, {"uuid": "b735c97d-dff8-46c7-ae0a-21f34937a930", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "https://t.me/donnazmi/1075", "content": "Free to use and share ya.\n\nhttps://github.com/forxiucn/nginx-cve-2026-42945-poc\nhttps://github.com/chenqin231/CVE-2026-42945\nhttps://github.com/byezero/nginx-cve-2026-42945-check", "creation_timestamp": "2026-05-19T14:45:43.000000Z"}, {"uuid": "05bd4444-06f4-4ac8-87d7-7b4094c39ccc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/y4W9fQ0s435t06YqivFDBJuH4KL8EGUFyQpMcFpfFM7n6Sq6", "content": "", "creation_timestamp": "2026-05-21T19:00:57.000000Z"}, {"uuid": "25cd055f-9475-41e7-bd18-7ba117feae16", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://www.hkcert.org/security-bulletin/nginx-multiple-vulnerabilities_20260515", "content": "", "creation_timestamp": "2026-05-14T18:00:00.000000Z"}, {"uuid": "2431f079-09d5-49c9-8184-9bbeeef01e9f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/0JZVqbB1rKqBB9hp8lsgoqSMQmBZfJa9U3GcChkguYZyduk", "content": "", "creation_timestamp": "2026-05-23T19:00:10.000000Z"}, {"uuid": "1cb160de-ef39-4f2d-ae22-866187df73d3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/aegisbot.bsky.social/post/3mmhlcgr2r42v", "content": "\ud83d\udd0d Top signals this week:\n\nCVEs: CVE-2026-20182, CVE-2026-42897, CVE-2026-45585, CVE-2026-42945, CVE-2026-9082\nActors: Ransomware, Apt, Play\n\nFull intel: https://matlock.ca/cybersecnews", "creation_timestamp": "2026-05-22T18:37:06.900436Z"}, {"uuid": "5b7821be-ba6b-4d49-a207-5dd79899f4ed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/insomnisec.bsky.social/post/3mmhdlda2k72q", "content": "NGINX Rift (CVE-2026-42945): An 18-Year-Old Flaw in the World's Most Deployed Web Server\n\nIf you operate any internet-facing infrastructure, there is a reasonable chance NGINX is somewhere in your stack. It sits in front of roughly a third of the public internet: as a web server, a reverse...\n\nhttps", "creation_timestamp": "2026-05-22T16:18:54.848354Z"}, {"uuid": "f920b5ce-20bf-4480-b97d-e5656447b4c0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/insomnisec.bsky.social/post/3mmhdtnmghc24", "content": "\ud83d\udce1 NGINX Rift (CVE-2026-42945): An 18-Year-Old Flaw in the World's Most Deployed Web Server", "creation_timestamp": "2026-05-22T16:23:34.066575Z"}, {"uuid": "99111e17-e926-4c81-aad7-d5d5bfd1da3b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/geeknik.bsky.social/post/3mmij22qp7p2p", "content": "NGINX Rift (CVE-2026-42945): unauthenticated heap overflow triggered by unnamed PCRE captures plus a \"?\" in rewrite rules. Grep your configs tonight. DoS is trivial, RCE is hard but not theoretical. Akamai conveniently sells the bandage.\nwww.akamai.com/blog/...", "creation_timestamp": "2026-05-23T03:29:17.762547Z"}, {"uuid": "94530e9e-8928-4e05-88e2-208f822a5e20", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/85441", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #POC #Exploit #RCE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-42945-nginx-rift-poc\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a F2u0a0d3\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-22 18:23:35\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nPoC for CVE-2026-42945 (nginx Rift) \u2014 heap buffer overflow in ngx_http_rewrite_module. Includes detect/probe/exploit modes, dual-fixture Docker lab, empirical address discovery, OOB-verified offset sweep. Original disclosure by depthfirst.\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-22T19:00:06.000000Z"}, {"uuid": "903db7e9-d2c9-4ab9-8c27-a6539a62cc4e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/happy-homhom.bsky.social/post/3mmhsruv2wq2w", "content": "NGINX\u306e\u6df1\u523b\u306a\u8106\u5f31\u6027\u300cCVE-2026-42945\u300d\u3092\u7a81\u304fPoC\u516c\u958b\u3001\u4f55\u304c\u8d77\u304d\u308b\u306e\u304b\u3092\u3084\u3055\u3057\u304f\u89e3\u8aac\nhttps://papoo.work/doc/a02e47991ba665ef", "creation_timestamp": "2026-05-22T20:51:01.036886Z"}, {"uuid": "1aaf5621-fa31-4425-abf3-cf5c11dca55b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42945", "type": "seen", "source": "https://mastodon.social/ap/users/115426718704364579/statuses/116630692762822462", "content": "\ud83d\udcf0 Critical 18-Year-Old 'NGINX Rift' Vulnerability (CVE-2026-42945) Under Active Attack\n\ud83d\udea8 CRITICAL NGINX FLAW! An 18-year-old bug 'NGINX Rift' (CVE-2026-42945) is actively exploited for DoS & RCE. Affects millions of web servers. Patch immediately! #NGINX #CVE #Infosec #PatchNow\n\ud83c\udf10 cyber[.]netsecops[.]io\n\ud83d\udd17 https://cyber.netsecops.io/articles/nginx-rift-critical-vulnerability-cve-2026-42945-active-exploitation/?utm_source=mastodon&utm_medium=social&utm_campaign=daily", "creation_timestamp": "2026-05-24T17:19:01.521757Z"}, {"uuid": "5b02d30c-6645-4e70-b39e-ac65a3032f0b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/85578", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #RCE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a nginx-rce-cve-2026-42945\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a webdev75950-ux\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Unknown\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-23 15:21:58\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u65e0\u63cf\u8ff0\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-23T16:00:04.000000Z"}, {"uuid": "9f7a1dab-9299-4d9c-bb31-d7704d762f43", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/netsecio.bsky.social/post/3mmmhvxomym2x", "content": "\ud83d\udea8 CRITICAL NGINX FLAW! An 18-year-old bug 'NGINX Rift' (CVE-2026-42945) is actively exploited for DoS & RCE. Affects millions of web servers. Patch immediately! #NGINX #CVE #Infosec #PatchNow\n\n\ud83c\udf10 cyber[.]netsecops[.]io", "creation_timestamp": "2026-05-24T17:19:45.590184Z"}, {"uuid": "a81d4d71-ecef-4971-a8b8-e1d9b8531925", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/PWXxTbzLBS2I2NTEEZXYxWglH9J71PY-BvJO95sfjgRqY3E", "content": "", "creation_timestamp": "2026-05-25T03:00:10.000000Z"}, {"uuid": "1eeccfb6-5fc4-490f-9674-dd8ec5d676ac", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/boredchilada.bsky.social/post/3mmmrecnkqz2f", "content": "~Checkpoint~\nHighlights include active exploitation of Cisco SD-WAN, Windows zero-days, and major ransomware breaches.\n-\nIOCs: CVE-2026-20182, CVE-2026-42945, YellowKey\n-\n#Ransomware #ThreatIntel #ZeroDay", "creation_timestamp": "2026-05-24T20:08:50.775262Z"}, {"uuid": "9701c1df-0a7c-464c-b858-7c4309328b17", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/85824", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #RCE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-42945-Nginx-RCE-bypass-ASLR\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a bamov970\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 1  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-25 12:21:49\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2026-42945 turns a 17-year-old NGINX rewrite bug into remote code execution \u2014 even with ASLR on, by chaining the heap overflow with live worker memory read through a common file-read flaw.\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-25T13:00:04.000000Z"}, {"uuid": "dd1c890c-019d-46be-a140-8df6931a400d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/09LhGZPdHPLXcDWCkwaK2Vt3BzUXQ-c_3WptS0kLGmYjR58", "content": "", "creation_timestamp": "2026-05-22T21:00:04.000000Z"}, {"uuid": "f424605e-2b0a-493f-9539-bb0b8e1ec7ed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/GxW7z8duNlVdfiWWs_v41lYfs7S7xkZAHymlGuRAZQODzxg", "content": "", "creation_timestamp": "2026-05-22T19:00:10.000000Z"}, {"uuid": "a5186743-292a-40b5-9dde-02c4bbf80646", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://t.me/GithubRedTeam/85799", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #\u6f0f\u6d1e #CVE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a NGINX-Rift\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a nu0l\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Unknown\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-25 09:02:51\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2026-42945 NGINX \u5806\u6ea2\u51fa\u6f0f\u6d1e\u626b\u63cf\u4e0e\u9a8c\u8bc1\u5de5\u5177\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-25T09:05:11.000000Z"}, {"uuid": "fb4cc2e6-7cc2-4624-b320-150be0fa69d8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://gist.github.com/coquinone/369492f9b58b8ac7cd7c0946a83fb8c9", "content": "# Shift left with automated penetration testing: Integrating AWS Security Agent into your CI/CD pipeline\n\nAI is changing the vulnerability landscape fast. In May 2026, researchers at DepthFirst used an AI-assisted detection platform to uncover [NGINX Rift (CVE-2026-42945)](https://www.secure.com/news/nginx-18-year-old-rce-vulnerability), a critical heap buffer overflow that had been sitting in the NGINX codebase since 2008, affecting roughly a third of all websites on the internet. Around the same time, Microsoft announced their agentic security system found [16 new vulnerabilities in the Windows networking stack](https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark/), including four critical RCE flaws. CVE disclosure rates for some vendors jumped by up to 500% in Q1 2026 compared to the previous quarter, largely driven by AI-assisted discovery.\n\nThe message is clear: attackers and researchers are finding bugs faster than most teams can test for them. If your security validation still happens monthly (or worse, quarterly), you are falling behind. This is where \"shift left\" comes in: move security testing earlier in the development lifecycle and make it continuous, so vulnerabilities get caught before they reach production.\n\n[AWS Security Agent](https://aws.amazon.com/security-agent) provides on-demand penetration testing that you can trigger programmatically via APIs. It doesn't have a native CI/CD integration today, but it exposes public APIs (`StartPentestJob`, `BatchGetPentestJobs`, `ListFindings`, `BatchGetFindings`) that you can call from your pipeline. In this post, I walk through how to wire those APIs into a GitHub Actions workflow so every deployment gets automatically tested for vulnerabilities and blocked if critical issues are found.\n\n> **Note:** All code in this post is sample code for reference purposes. You should review, test, and modify it to suit your own environment, security requirements, and organisational standards before using in production.\n\nBy the end of this walkthrough, you will have a pipeline that deploys your application to staging, triggers an autonomous penetration test, waits for results, and enforces a quality gate, all without human intervention.\n\n## Overview\n\nIn most large organisations, there is usually a dedicated platform team or AppSec team that manages security tooling centrally. Individual application teams don't each host their own scanning infrastructure. Instead, the central team provisions and maintains shared tooling, and app teams just plug into it. This is the model we use in this post.\n\nThe integration follows a separation of responsibilities:\n\n- **Central security/platform team** provisions infrastructure (Agent Spaces, IAM roles, domain verification) using AWS CDK and maintains a shared GitHub Action that any app team can reference.\n- **Application teams** configure their pentest targets through the Security Agent Web Application and add a few lines of YAML to their existing pipeline. They don't need to understand the underlying infrastructure.\n\nThe repeatable pipeline flow looks like this:\n\n![Pipeline flow: Code merged, deploy to staging, trigger pentest, poll for results, block or proceed based on findings](diagram-pipeline-flow.png)\n\n## Prerequisites\n\nBefore you start, make sure you have:\n\n- An AWS account with [AWS Security Agent](https://aws.amazon.com/security-agent) enabled\n- [AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/) configured for user access to the Security Agent Web Application\n- A GitHub repository with GitHub Actions enabled\n- [AWS CDK](https://aws.amazon.com/cdk/) v2.170+ installed (for infrastructure deployment)\n- A staging environment for your application\n\n## Architecture and responsibility matrix\n\nOne thing worth calling out: there are two separate IAM roles involved, and they serve very different purposes:\n\n1. **Pentest execution role**: this one gets assumed by the AWS Security Agent service while it's actually running the tests. It needs access to CloudWatch Logs, Secrets Manager, and optionally Lambda functions for credential vending.\n2. **GitHub Actions role**: this one gets assumed by the GitHub runner via OIDC federation to call Security Agent APIs (`StartPentestJob`, `BatchGetPentestJobs`, `ListFindings`). It doesn't do any actual testing itself.\n\nHere is how responsibilities break down:\n\n| Activity | Owner | Frequency | Custom code? |\n|---|---|---|---|\n| Deploy Agent Space + IAM + Domain | Central team | Once per app | Yes (CDK) |\n| Install GitHub App integration | Central team | Once per org | No (Console) |\n| Upload docs & API specs | App team | Once (update as needed) | No (Web UI) |\n| Create pentest configuration | App team | Once per app | No (Web UI) |\n| Shared GitHub Action (`run-pentest`) | Central team | Built once | Yes |\n| Integrate action into pipeline | App team | Once | No (YAML config) |\n\n## Step 1: Provision infrastructure with AWS CDK\n\nThe central security team deploys all the infrastructure using AWS CDK (Python). The `aws_cdk.aws_securityagent` module provides L1 constructs for the required CloudFormation resource types. Nothing too fancy here, just standard CDK patterns.\n\n### CDK project structure\n\n```\nsecurity-agent-infra/\n\u251c\u2500\u2500 app.py\n\u251c\u2500\u2500 cdk.json\n\u251c\u2500\u2500 requirements.txt\n\u2514\u2500\u2500 stacks/\n    \u251c\u2500\u2500 __init__.py\n    \u251c\u2500\u2500 security_agent_app_stack.py\n    \u2514\u2500\u2500 agent_space_stack.py\n```\n\n### Application stack (one per AWS account)\n\nThis stack deploys the top-level Security Agent Application resource. It configures IAM Identity Center so your team can access the Web Application.\n\n```python\n# stacks/security_agent_app_stack.py\n\nfrom aws_cdk import (\n    Stack,\n    CfnOutput,\n    aws_securityagent as securityagent,\n    aws_iam as iam,\n)\nfrom constructs import Construct\n\n\nclass SecurityAgentAppStack(Stack):\n    def __init__(self, scope: Construct, construct_id: str,\n                 idc_instance_arn: str,\n                 kms_key_id: str = None,\n                 **kwargs) -> None:\n        super().__init__(scope, construct_id, **kwargs)\n\n        self.service_role = iam.Role(\n            self, \"SecurityAgentServiceRole\",\n            assumed_by=iam.ServicePrincipal(\"securityagent.amazonaws.com\"),\n            description=\"Service role for AWS Security Agent\",\n        )\n\n        self.application = securityagent.CfnApplication(\n            self, \"SecurityAgentApplication\",\n            role_arn=self.service_role.role_arn,\n            idc_configuration=securityagent.CfnApplication.IdCConfigurationProperty(\n                idc_instance_arn=idc_instance_arn,\n            ),\n            default_kms_key_id=kms_key_id,\n            tags=[{\"key\": \"ManagedBy\", \"value\": \"CDK\"}],\n        )\n\n        CfnOutput(self, \"ApplicationId\",\n                  value=self.application.attr_application_id)\n        CfnOutput(self, \"WebAppDomain\",\n                  value=self.application.attr_domain)\n```\n\n### Agent Space stack (one per application)\n\nThis is where most of the per-application setup lives. It creates the Agent Space, target domain, pentest execution role, and the GitHub Actions OIDC role. I will break this into a few parts so it's easier to follow.\n\n```python\n# stacks/agent_space_stack.py\n\nfrom aws_cdk import (\n    Stack, CfnOutput, RemovalPolicy,\n    aws_securityagent as securityagent,\n    aws_iam as iam,\n    aws_logs as logs,\n    aws_secretsmanager as secretsmanager,\n)\nfrom constructs import Construct\n\n\nclass AgentSpaceStack(Stack):\n    def __init__(self, scope: Construct, construct_id: str,\n                 app_name: str,\n                 target_domain: str,\n                 service_role_arn: str,\n                 secret_arns: list[str] = None,\n                 **kwargs) -> None:\n        super().__init__(scope, construct_id, **kwargs)\n\n        # CloudWatch Log Group for pentest execution logs\n        self.log_group = logs.LogGroup(\n            self, \"PentestLogGroup\",\n            log_group_name=f\"/aws/securityagent/{app_name}\",\n            retention=logs.RetentionDays.ONE_YEAR,\n            removal_policy=RemovalPolicy.RETAIN,\n        )\n\n        # Role assumed by Security Agent during testing\n        self.pentest_role = iam.Role(\n            self, \"PentestExecutionRole\",\n            role_name=f\"SecurityAgent-{app_name}-PentestRole\",\n            assumed_by=iam.ServicePrincipal(\"securityagent.amazonaws.com\"),\n        )\n        self.log_group.grant_write(self.pentest_role)\n\n        if secret_arns:\n            for secret_arn in secret_arns:\n                secret = secretsmanager.Secret.from_secret_complete_arn(\n                    self, f\"Secret-{secret_arn[-8:]}\",\n                    secret_complete_arn=secret_arn\n                )\n                secret.grant_read(self.pentest_role)\n```\n\nThe GitHub Actions role uses OIDC federation so you don't need to store any long-lived credentials in GitHub:\n\n```python\n        # Role assumed by GitHub runner to trigger/monitor pentests\n        self.github_action_role = iam.Role(\n            self, \"GitHubActionRole\",\n            role_name=f\"GitHubActions-{app_name}-Pentest\",\n            assumed_by=iam.FederatedPrincipal(\n                \"token.actions.githubusercontent.com\",\n                conditions={\n                    \"StringEquals\": {\n                        \"token.actions.githubusercontent.com:aud\": \"sts.amazonaws.com\"\n                    },\n                    \"StringLike\": {\n                        \"token.actions.githubusercontent.com:sub\": \"repo:your-org/*:*\"\n                    },\n                },\n                assume_role_action=\"sts:AssumeRoleWithWebIdentity\",\n            ),\n        )\n        self.github_action_role.add_to_policy(iam.PolicyStatement(\n            actions=[\n                \"securityagent:StartPentestJob\",\n                \"securityagent:BatchGetPentestJobs\",\n                \"securityagent:ListFindings\",\n                \"securityagent:BatchGetFindings\",\n            ],\n            resources=[\"*\"],\n        ))\n```\n\nFinally, the target domain and Agent Space resources. This is where everything comes together:\n\n```python\n        # Target domain registration\n        self.target_domain = securityagent.CfnTargetDomain(\n            self, \"TargetDomain\",\n            target_domain_name=target_domain,\n            verification_method=\"DNS_TXT\",\n        )\n\n        # Agent Space\n        self.agent_space = securityagent.CfnAgentSpace(\n            self, \"AgentSpace\",\n            name=app_name,\n            description=f\"Security testing workspace for {app_name}\",\n            target_domain_ids=[self.target_domain.attr_target_domain_id],\n            aws_resources=securityagent.CfnAgentSpace.AWSResourcesProperty(\n                iam_roles=[self.pentest_role.role_arn],\n                log_groups=[self.log_group.log_group_arn],\n                secret_arns=secret_arns or [],\n            ),\n        )\n\n        # Outputs for the application team\n        CfnOutput(self, \"AgentSpaceId\",\n                  value=self.agent_space.attr_agent_space_id)\n        CfnOutput(self, \"GitHubActionRoleArn\",\n                  value=self.github_action_role.role_arn)\n```\n\n### CDK app entry point\n\n```python\n# app.py\n\nimport aws_cdk as cdk\nfrom stacks.security_agent_app_stack import SecurityAgentAppStack\nfrom stacks.agent_space_stack import AgentSpaceStack\n\napp = cdk.App()\nenv = cdk.Environment(account=\"123456789012\", region=\"ap-southeast-2\")\n\n# Account-level setup (deploy once)\napp_stack = SecurityAgentAppStack(\n    app, \"SecurityAgentApp\",\n    idc_instance_arn=\"arn:aws:sso:::instance/ssoins-xxxxxxxxxxxx\",\n    kms_key_id=\"arn:aws:kms:ap-southeast-2:123456789012:key/mrk-xxxx\",\n    env=env,\n)\n\n# Per-application Agent Space\nAgentSpaceStack(\n    app, \"AgentSpace-payments-api\",\n    app_name=\"payments-api\",\n    target_domain=\"staging-payments.example.com\",\n    service_role_arn=app_stack.service_role.role_arn,\n    secret_arns=[\n        \"arn:aws:secretsmanager:ap-southeast-2:123456789012:secret:pentest/payments-api-creds\"\n    ],\n    env=env,\n)\n\napp.synth()\n```\n\nDeploy with:\n\n```bash\npip install aws-cdk-lib constructs\ncdk deploy --all\n```\n\nAfter deployment, note the `AgentSpaceId` and `GitHubActionRoleArn` outputs. You will need to provide these to the application team.\n\n### Connect GitHub (console)\n\nThe GitHub App installation is a manual step in the AWS Console. Can't automate this part unfortunately:\n\n1. Navigate to **AWS Security Agent** \u2192 **Integrations**\n2. Choose **Add Integration** \u2192 **GitHub**\n3. Install the AWS Security Agent GitHub App into your GitHub organisation\n4. Authorise access to the required repositories\n\n## Step 2: Configure pentest targets (application team)\n\nThe application team does their setup entirely through the Security Agent Web Application. No custom code needed here.\n\nAfter receiving the `AgentSpaceId` and Web Application URL from the central team:\n\n1. **Log in** to the Security Agent Web Application using IAM Identity Center credentials\n2. **Select the Agent Space** created by the central team\n3. **Upload context artefacts**: architecture diagrams, OpenAPI specs, threat models. These help the agent build deeper understanding of your application for more targeted testing. Supported formats include PDF, YAML, JSON, Markdown, PNG, and DOCX.\n4. **Create a pentest configuration:**\n   - Set a title (e.g., \"Payments API - CI/CD Pentest\")\n   - Add target endpoints (e.g., `https://staging-payments.example.com`)\n   - Configure actors with authentication credentials (referencing your Secrets Manager secret)\n   - Select which risk types to include or exclude\n   - Optionally enable automatic code remediation (creates PRs in GitHub)\n5. **Note the `pentestId`**. You'll need this for the pipeline.\n\nThen store these as GitHub repository secrets:\n\n| Secret Name | Value | Source |\n|---|---|---|\n| `AGENT_SPACE_ID` | `asp-xxxxxxxxxxxx` | CDK output (from central team) |\n| `PENTEST_ID` | `pt-xxxxxxxxxxxx` | Web UI (after creating pentest config) |\n| `PENTEST_ROLE_ARN` | `arn:aws:iam::...:role/GitHubActions-payments-api-Pentest` | CDK output: `GitHubActionRoleArn` |\n\n## Step 3: Build the shared GitHub Action\n\nThe central team maintains a reusable composite GitHub Action in a shared repository (e.g., `your-org/security-actions`). This action handles the full lifecycle: trigger the pentest, poll for completion, extract findings, and enforce a quality gate. Once built, every app team in your organisation can reference it.\n\nThe action calls these AWS Security Agent APIs:\n\n| API | Purpose |\n|---|---|\n| `StartPentestJob` | Trigger the penetration test |\n| `BatchGetPentestJobs` | Poll for job completion status |\n| `ListFindings` | Retrieve finding summaries for the quality gate |\n| `BatchGetFindings` | (Optional) Get full finding details for reporting |\n\n### Action definition\n\n```yaml\n# .github/actions/run-pentest/action.yml\nname: 'AWS Security Agent - Run Pentest'\ndescription: 'Triggers an AWS Security Agent pentest and reports results'\ninputs:\n  agent-space-id:\n    description: 'AWS Security Agent Space ID'\n    required: true\n  pentest-id:\n    description: 'Pentest configuration ID'\n    required: true\n  aws-region:\n    description: 'AWS region'\n    required: false\n    default: 'ap-southeast-2'\n  poll-interval:\n    description: 'Seconds between status polls'\n    required: false\n    default: '60'\n  timeout-minutes:\n    description: 'Maximum wait time in minutes'\n    required: false\n    default: '120'\n  fail-on-critical:\n    description: 'Fail if CRITICAL findings with HIGH confidence exist'\n    required: false\n    default: 'true'\n  fail-on-high:\n    description: 'Fail if HIGH findings with HIGH confidence exist'\n    required: false\n    default: 'true'\n  include-full-details:\n    description: 'Include full finding details in output'\n    required: false\n    default: 'false'\noutputs:\n  pentest-job-id:\n    description: 'The pentest job ID'\n    value: ${{ steps.run.outputs.pentest-job-id }}\n  status:\n    description: 'Final job status'\n    value: ${{ steps.run.outputs.status }}\n  findings-count:\n    description: 'Total findings'\n    value: ${{ steps.run.outputs.findings-count }}\n  critical-count:\n    description: 'CRITICAL findings count'\n    value: ${{ steps.run.outputs.critical-count }}\n  high-count:\n    description: 'HIGH findings count'\n    value: ${{ steps.run.outputs.high-count }}\n  results-file:\n    description: 'Path to results JSON'\n    value: ${{ steps.run.outputs.results-file }}\nruns:\n  using: 'composite'\n  steps:\n    - name: Run Pentest\n      id: run\n      shell: bash\n      env:\n        AGENT_SPACE_ID: ${{ inputs.agent-space-id }}\n        PENTEST_ID: ${{ inputs.pentest-id }}\n        AWS_REGION: ${{ inputs.aws-region }}\n        POLL_INTERVAL: ${{ inputs.poll-interval }}\n        TIMEOUT_MINUTES: ${{ inputs.timeout-minutes }}\n        FAIL_ON_CRITICAL: ${{ inputs.fail-on-critical }}\n        FAIL_ON_HIGH: ${{ inputs.fail-on-high }}\n        INCLUDE_FULL_DETAILS: ${{ inputs.include-full-details }}\n      run: python ${{ github.action_path }}/run_pentest.py\n```\n\n### Action script\n\nThe Python script implements the core logic. It goes through four phases that mirror the pentest job execution steps (PREFLIGHT \u2192 STATIC_ANALYSIS \u2192 PENTEST \u2192 FINALIZING). Let me walk through the key parts:\n\n```python\n#!/usr/bin/env python3\n# .github/actions/run-pentest/run_pentest.py\n\nimport boto3\nimport json\nimport os\nimport sys\nimport time\nfrom datetime import datetime, timezone\n\n\ndef get_env(name: str, default: str = None) -> str:\n    value = os.environ.get(name, default)\n    if value is None:\n        print(f\"::error::Missing required env var: {name}\")\n        sys.exit(1)\n    return value\n\n\ndef set_output(name: str, value: str):\n    output_file = os.environ.get('GITHUB_OUTPUT', '')\n    if output_file:\n        with open(output_file, 'a') as f:\n            f.write(f\"{name}={value}\\n\")\n\n\ndef main():\n    # Configuration\n    agent_space_id = get_env('AGENT_SPACE_ID')\n    pentest_id = get_env('PENTEST_ID')\n    region = get_env('AWS_REGION', 'ap-southeast-2')\n    poll_interval = int(get_env('POLL_INTERVAL', '60'))\n    timeout_minutes = int(get_env('TIMEOUT_MINUTES', '120'))\n    fail_on_critical = get_env('FAIL_ON_CRITICAL', 'true').lower() == 'true'\n    fail_on_high = get_env('FAIL_ON_HIGH', 'true').lower() == 'true'\n    include_details = get_env('INCLUDE_FULL_DETAILS', 'false').lower() == 'true'\n\n    client = boto3.client('securityagent', region_name=region)\n\n    # Step 1: Start the pentest job\n    print(\"::group::Starting pentest job\")\n    response = client.start_pentest_job(\n        agentSpaceId=agent_space_id,\n        pentestId=pentest_id\n    )\n    job_id = response['pentestJobId']\n    print(f\"  Job started: {job_id}\")\n    print(\"::endgroup::\")\n    set_output('pentest-job-id', job_id)\n\n    # Step 2: Poll until completion\n    print(\"::group::Polling for completion\")\n    timeout_secs = timeout_minutes * 60\n    start_time = time.time()\n    terminal_states = {'COMPLETED', 'FAILED', 'STOPPED'}\n\n    while True:\n        elapsed = time.time() - start_time\n        if elapsed > timeout_secs:\n            print(f\"::error::Timeout after {timeout_minutes}m\")\n            set_output('status', 'TIMEOUT')\n            sys.exit(1)\n\n        time.sleep(poll_interval)\n        resp = client.batch_get_pentest_jobs(\n            agentSpaceId=agent_space_id,\n            pentestJobIds=[job_id]\n        )\n        job = resp['pentestJobs'][0]\n        status = job['status']\n        print(f\"  [{int(elapsed/60)}m] Status: {status}\")\n\n        if status in terminal_states:\n            break\n\n    print(\"::endgroup::\")\n    set_output('status', status)\n\n    if status == 'FAILED':\n        err = job.get('errorInformation', {})\n        print(f\"::error::Job failed: {err.get('message', 'Unknown')}\")\n        sys.exit(1)\n```\n\nAfter the job completes, the script retrieves findings and applies the quality gate. This is the part that decides whether your pipeline passes or fails:\n\n```python\n    # Step 3: Retrieve findings\n    print(\"::group::Retrieving findings\")\n    summaries = []\n    next_token = None\n\n    while True:\n        params = {'agentSpaceId': agent_space_id, 'pentestJobId': job_id}\n        if next_token:\n            params['nextToken'] = next_token\n        resp = client.list_findings(**params)\n        summaries.extend(resp.get('findingsSummaries', []))\n        next_token = resp.get('nextToken')\n        if not next_token:\n            break\n\n    # Count by severity\n    counts = {}\n    for f in summaries:\n        level = f.get('riskLevel', 'UNKNOWN')\n        counts[level] = counts.get(level, 0) + 1\n\n    critical = counts.get('CRITICAL', 0)\n    high = counts.get('HIGH', 0)\n    medium = counts.get('MEDIUM', 0)\n    low = counts.get('LOW', 0)\n\n    set_output('findings-count', str(len(summaries)))\n    set_output('critical-count', str(critical))\n    set_output('high-count', str(high))\n    print(\"::endgroup::\")\n\n    # Step 4: Write results JSON\n    results = {\n        'metadata': {\n            'agentSpaceId': agent_space_id,\n            'pentestJobId': job_id,\n            'status': status,\n            'timestamp': datetime.now(timezone.utc).isoformat(),\n            'overview': job.get('overview', ''),\n        },\n        'summary': {\n            'total': len(summaries),\n            'critical': critical,\n            'high': high,\n            'medium': medium,\n            'low': low,\n        },\n        'findings': [\n            {\n                'findingId': f.get('findingId'),\n                'name': f.get('name'),\n                'riskType': f.get('riskType'),\n                'riskLevel': f.get('riskLevel'),\n                'confidence': f.get('confidence'),\n                'status': f.get('status'),\n            }\n            for f in summaries\n        ],\n    }\n\n    results_file = os.path.join(\n        os.environ.get('GITHUB_WORKSPACE', '.'), 'pentest-results.json'\n    )\n    with open(results_file, 'w') as fh:\n        json.dump(results, fh, indent=2, default=str)\n    set_output('results-file', results_file)\n\n    # Step 5: Quality gate\n    gate_critical = [f for f in summaries\n                     if f.get('riskLevel') == 'CRITICAL'\n                     and f.get('confidence') == 'HIGH']\n    gate_high = [f for f in summaries\n                 if f.get('riskLevel') == 'HIGH'\n                 and f.get('confidence') == 'HIGH']\n\n    if fail_on_critical and gate_critical:\n        print(f\"::error::BLOCKED: {len(gate_critical)} CRITICAL finding(s)\")\n        sys.exit(1)\n    if fail_on_high and gate_high:\n        print(f\"::error::BLOCKED: {len(gate_high)} HIGH finding(s)\")\n        sys.exit(1)\n\n    print(\"Quality gate PASSED\")\n\n\nif __name__ == '__main__':\n    main()\n```\n\nThe quality gate only fails on findings with **HIGH confidence**. This avoids blocking deployments on unconfirmed or low-confidence findings that might need manual review first. You can tune this behaviour with the `fail-on-critical` and `fail-on-high` inputs.\n\n## Step 4: Integrate into your pipeline\n\nWith the shared action in place, the application team just adds a workflow to their repository. This is the only file they need to create:\n\n```yaml\n# .github/workflows/deploy-and-pentest.yml\nname: Deploy & Pentest\n\non:\n  push:\n    branches: [main]\n  pull_request:\n    branches: [main]\n\npermissions:\n  id-token: write\n  contents: read\n  pull-requests: write\n\nenv:\n  AWS_REGION: ap-southeast-2\n\njobs:\n  build-and-deploy:\n    runs-on: ubuntu-latest\n    outputs:\n      deployed: ${{ steps.deploy.outputs.success }}\n    steps:\n      - uses: actions/checkout@v4\n      - name: Build\n        run: npm ci && npm run build\n      - name: Configure AWS credentials\n        uses: aws-actions/configure-aws-credentials@v4\n        with:\n          role-to-assume: ${{ secrets.DEPLOY_ROLE_ARN }}\n          aws-region: ${{ env.AWS_REGION }}\n      - name: Deploy to staging\n        id: deploy\n        run: |\n          # Your deployment steps here\n          echo \"success=true\" >> $GITHUB_OUTPUT\n\n  pentest:\n    runs-on: ubuntu-latest\n    needs: build-and-deploy\n    if: needs.build-and-deploy.outputs.deployed == 'true'\n    steps:\n      - name: Configure AWS credentials\n        uses: aws-actions/configure-aws-credentials@v4\n        with:\n          role-to-assume: ${{ secrets.PENTEST_ROLE_ARN }}\n          aws-region: ${{ env.AWS_REGION }}\n\n      - name: Checkout shared actions\n        uses: actions/checkout@v4\n        with:\n          repository: your-org/security-actions\n          path: .github/shared-actions\n          token: ${{ secrets.ACTIONS_PAT }}\n\n      - name: Set up Python\n        uses: actions/setup-python@v5\n        with:\n          python-version: '3.12'\n\n      - name: Install dependencies\n        run: pip install boto3\n\n      - name: Run Penetration Test\n        id: pentest\n        uses: ./.github/shared-actions/run-pentest\n        with:\n          agent-space-id: ${{ secrets.AGENT_SPACE_ID }}\n          pentest-id: ${{ secrets.PENTEST_ID }}\n          fail-on-critical: 'true'\n          fail-on-high: 'true'\n\n      - name: Upload results\n        if: always()\n        uses: actions/upload-artifact@v4\n        with:\n          name: pentest-results-${{ github.run_id }}\n          path: pentest-results.json\n          retention-days: 90\n```\n\n### Adding PR comments\n\nFor pull request workflows, you can add a step that posts a summary comment directly on the PR. This way developers can see the results without leaving their normal workflow:\n\n```yaml\n      - name: Comment on PR\n        if: always() && github.event_name == 'pull_request'\n        uses: actions/github-script@v7\n        with:\n          script: |\n            const fs = require('fs');\n            const results = JSON.parse(fs.readFileSync('pentest-results.json'));\n            const s = results.summary;\n            const status = s.critical > 0 || s.high > 0 ? '\u274c FAILED' : '\u2705 PASSED';\n            const body = [\n              `## \ud83d\udee1\ufe0f Pentest Results \u2014 ${status}`,\n              `| Level | Count |`,\n              `|---|---|`,\n              `| \ud83d\udd34 Critical | ${s.critical} |`,\n              `| \ud83d\udfe0 High | ${s.high} |`,\n              `| \ud83d\udfe1 Medium | ${s.medium} |`,\n              `| \ud83d\udd35 Low | ${s.low} |`,\n              ``,\n              `**Job:** \\`${results.metadata.pentestJobId}\\``,\n              `**Overview:** ${results.metadata.overview || 'N/A'}`,\n            ].join('\\n');\n            github.rest.issues.createComment({\n              issue_number: context.issue.number,\n              owner: context.repo.owner,\n              repo: context.repo.repo,\n              body\n            });\n```\n\nThis gives developers immediate visibility into security findings without leaving their pull request.\n\n## How the quality gate works\n\nThe quality gate logic is kept simple on purpose. It uses two dimensions from the `ListFindings` API response:\n\n| Field | Values | Purpose |\n|---|---|---|\n| `riskLevel` | CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL | Severity of the vulnerability |\n| `confidence` | HIGH, MEDIUM, LOW, UNCONFIRMED, FALSE_POSITIVE | How certain the agent is |\n\nThe gate only blocks on findings where **both** the risk level is CRITICAL or HIGH **and** the confidence is HIGH. So in practice:\n\n- A CRITICAL finding with MEDIUM confidence \u2192 gets logged but does not block\n- A HIGH finding with HIGH confidence \u2192 blocks the deployment\n- A MEDIUM finding with HIGH confidence \u2192 gets logged but does not block\n\nThis reduces false-positive friction while still catching the confirmed severe vulnerabilities. Teams can adjust thresholds using the action inputs.\n\n## Results and reporting\n\nThe action writes a structured JSON file (`pentest-results.json`) that gets uploaded as a GitHub Actions artefact. This file contains:\n\n- **Metadata**: job ID, status, timestamp, and a natural-language overview of what got tested\n- **Summary**: counts by severity level\n- **Findings**: individual finding summaries with risk type, level, and confidence\n\nFor teams that need long-term retention or want to build dashboards, you can add an S3 upload step:\n\n```yaml\n      - name: Upload to S3\n        if: always()\n        run: |\n          aws s3 cp pentest-results.json \\\n            s3://${{ secrets.RESULTS_BUCKET }}/pentest-results/${{ secrets.AGENT_SPACE_ID }}/${{ github.run_id }}/results.json\n```\n\nYou can then query these results with Amazon Athena for trend analysis across your application portfolio.\n\n## End-to-end onboarding flow\n\nHere is the complete sequence from initial request to automated testing:\n\n![End-to-end onboarding flow: intake, CDK deployment, app team setup, repeatable pipeline](diagram-onboarding-flow.png)\n\n## Differences to traditional DAST solution\n\nTraditional dynamic application security testing (DAST) tools scan running applications without understanding their context. They just throw payloads at endpoints and see what sticks. AWS Security Agent takes a different approach:\n\n- **Context-aware testing**: When you upload architecture documents, API specs, and threat models, the agent builds a deep understanding of your application. It creates customised attack plans based on your specific business logic, not just generic vulnerability signatures.\n- **Adaptive execution**: The agent adjusts its attack strategy based on what it discovers during testing. If it finds an interesting endpoint or error response, it pivots to explore that path further.\n- **Multi-step attack chains**: Rather than testing individual inputs in isolation, the agent chains together multiple techniques. For example, combining server-side template injection with error forcing and debug output analysis to find more complex exploits.\n- **Authenticated testing**: By configuring actors with credentials from Secrets Manager, the agent tests your application as different user roles, uncovering authorisation and privilege escalation issues that unauthenticated scanning would miss.\n\n## Tips for production use\n\n**Start with a staging environment.** Point your pentest targets at a staging or pre-production environment that mirrors production. Even better, use a dedicated environment just for penetration testing. This makes sure the agent's testing doesn't affect real users.\n\n**Provide rich context.** The more context you give the agent (OpenAPI specs, architecture diagrams, threat models), the more targeted the testing becomes. Upload these through the Web Application when creating your pentest configuration.\n\n**Tune the timeout.** Pentest run duration depends on the breadth of the target application and the number of risk types configured. The [AWS Security Agent documentation](https://docs.aws.amazon.com/securityagent/latest/userguide/security-guidance.html) notes that runs can take up to 12 hours when all risk types are enabled. The default 120-minute timeout in the action works for narrowly scoped tests, but increase it (or narrow the scope of risk types in your pentest configuration) for comprehensive assessments.\n\n**Check service quotas before scaling.** AWS Security Agent has soft (adjustable) limits on concurrent pentest runs, agent spaces, and pentest projects per account per region. If you plan to onboard multiple application teams or run pentests on every PR, check the [AWS Security Agent service quotas](https://docs.aws.amazon.com/securityagent/latest/userguide/quotas.html) and request increases through AWS Support where needed.\n\n**Use branch protection rules.** Combine the pentest quality gate with GitHub branch protection rules so the pentest job must pass before merging to main.\n\n**Enable auto-remediation.** AWS Security Agent can automatically create pull requests with fixes for discovered vulnerabilities. You can enable this in the pentest configuration through the Web Application to close the loop faster.\n\n\n## Conclusion\n\nBy integrating AWS Security Agent into your CI/CD pipeline, penetration testing goes from a periodic manual bottleneck to a continuous automated practice. Every deployment gets tested. Critical vulnerabilities block releases before they reach production. Your security team can focus on strategic work instead of scheduling engagements.\n\nThe shift-left approach works here because the integration is lightweight for application teams. Just a few GitHub secrets and a workflow file, while the central team maintains the shared infrastructure and action. This scales across your organisation: onboard a new application by deploying one CDK stack and having the app team configure their targets through the Web UI.\n\nTo get started, visit the [AWS Security Agent console](https://console.aws.amazon.com/securityagent/) and create your first Agent Space. For more details on the service capabilities, see the [AWS Security Agent documentation](https://docs.aws.amazon.com/securityagent/latest/userguide/what-is.html).\n\n", "creation_timestamp": "2026-05-25T10:30:58.000000Z"}, {"uuid": "010bda32-b354-4ace-813b-1d39dad1a1ea", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/hq1WnakkbxJpSdatpwq9NAKRiUtHFa8ysgfQqaCqIO8mwqo", "content": "", "creation_timestamp": "2026-05-25T09:00:04.000000Z"}, {"uuid": "c650b090-be0d-4ec1-846a-2a5cd5c6e798", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/-Rw1GdqgLbdPMkOwlVEIvz70NMtSIs0WWvrIrO5vIfavaPE", "content": "", "creation_timestamp": "2026-05-25T11:00:08.000000Z"}, {"uuid": "bcf0445f-4e13-4567-b563-557075e4dfd2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/p4pSz48sW8Fl1dqUeH21RBDMwtfRPHmaTBryFak7xdWuTDY", "content": "", "creation_timestamp": "2026-05-25T15:00:06.000000Z"}, {"uuid": "d67887aa-89e9-4ed7-8c06-3cbe2fe8867f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "Telegram/X1Szwu_qpRNev2GcuASsATzQD-1aeqEPKRVacdyAUElWlBI", "content": "", "creation_timestamp": "2026-05-25T15:00:12.000000Z"}, {"uuid": "3e7ddbec-9727-4f6e-b020-be8903930fd3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42945", "type": "seen", "source": "https://bsky.app/profile/shortinfo.bsky.social/post/3mmozdjola72r", "content": "Server admins running NGINX should patch now. CVE-2026-42945 (NGINX Rift) is an 18-year-old heap buffer overflow in the rewrite module. Unauthenticated RCE possible where ASLR is weak. F5  patched May 13 (K000161019). Active exploitation in the wild.", "creation_timestamp": "2026-05-25T17:36:54.359496Z"}]}