Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-28755 (GCVE-0-2026-28755)
Vulnerability from cvelistv5 – Published: 2026-03-24 14:13 – Updated: 2026-03-24 15:24
VLAI?
EPSS
Title
NGINX ngx_stream_ssl_module vulnerability
Summary
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity ?
5.4 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| F5 | NGINX Open Source |
Affected:
1.29.0 , < 1.29.7
(semver)
Affected: 1.27.2 , < 1.28.3 (semver) |
|||||||
|
|||||||||
Date Public ?
2026-03-24 14:00
Credits
Mufeed VH of Winfunc Research
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28755",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T15:24:10.756255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T15:24:16.108Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_stream_ssl_module"
],
"product": "NGINX Open Source",
"vendor": "F5",
"versions": [
{
"lessThan": "1.29.7",
"status": "affected",
"version": "1.29.0",
"versionType": "semver"
},
{
"lessThan": "1.28.3",
"status": "affected",
"version": "1.27.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unknown",
"modules": [
"ngx_stream_ssl_module"
],
"product": "NGINX Plus",
"vendor": "F5",
"versions": [
{
"lessThan": "R36 P3",
"status": "affected",
"version": "R36",
"versionType": "custom"
},
{
"lessThan": "R35 P2",
"status": "affected",
"version": "R35",
"versionType": "custom"
},
{
"lessThan": "*",
"status": "affected",
"version": "R34",
"versionType": "custom"
},
{
"lessThan": "*",
"status": "affected",
"version": "R33",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mufeed VH of Winfunc Research"
}
],
"datePublic": "2026-03-24T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. \u0026nbsp; \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. \u00a0 \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T14:43:39.944Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000160368"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "NGINX ngx_stream_ssl_module vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-28755",
"datePublished": "2026-03-24T14:13:26.502Z",
"dateReserved": "2026-03-18T16:06:38.442Z",
"dateUpdated": "2026-03-24T15:24:16.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-28755",
"date": "2026-04-15",
"epss": "0.00014",
"percentile": "0.0244"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-28755\",\"sourceIdentifier\":\"f5sirt@f5.com\",\"published\":\"2026-03-24T15:16:33.773\",\"lastModified\":\"2026-03-26T14:09:37.177\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. \u00a0 \\n\\n\\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\"},{\"lang\":\"es\",\"value\":\"NGINX Plus y NGINX Open Source tienen una vulnerabilidad en el m\u00f3dulo ngx_stream_ssl_module debido al manejo inadecuado de certificados revocados cuando se configura con las directivas ssl_verify_client on y ssl_ocsp on, permitiendo que el handshake TLS tenga \u00e9xito incluso despu\u00e9s de que una verificaci\u00f3n OCSP identifique el certificado como revocado.\\n\\nNota: Las versiones de software que han alcanzado el Fin de Soporte T\u00e9cnico (EoTS) no son evaluadas.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"f5sirt@f5.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"f5sirt@f5.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"f5sirt@f5.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4F58BD02-EA76-4F32-87D6-430026C8553E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"46DC49B8-7286-4867-9CDA-1C1B469CD304\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"43477C2E-7485-4146-B25C-F58D632CD85B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*\",\"matchCriteriaId\":\"6A25B9CF-02C0-42DE-9C70-F2AD3ACE3CEB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"86358605-55F9-4F6F-846A-3F48738F6E05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7453D683-FCA7-46EE-BE49-5FD9A01D7F87\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"A977BF9F-D165-4B93-B4D2-A177883A5E75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4958360C-7993-4C82-8685-202D4940CE01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"942CA349-3FF8-4B9D-B87E-FBA8930CE913\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7993A0FB-BE7E-4634-BF7F-FDEE3582D3E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"862EA47E-8D57-434E-9C8F-238325FB85B2\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.5.13\",\"versionEndIncluding\":\"0.9.7\",\"matchCriteriaId\":\"BABB440C-6106-42C6-8E67-101182F26C86\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.27.2\",\"versionEndExcluding\":\"1.28.3\",\"matchCriteriaId\":\"8F07D30E-931D-415D-83C6-59F1EC804688\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.29.0\",\"versionEndExcluding\":\"1.29.7\",\"matchCriteriaId\":\"C0EFE28B-E8E5-464E-B407-96436CA87C8E\"}]}]}],\"references\":[{\"url\":\"https://my.f5.com/manage/s/article/K000160368\",\"source\":\"f5sirt@f5.com\",\"tags\":[\"Vendor Advisory\",\"Mitigation\"]}]}}"
}
}
CERTFR-2026-AVI-0376
Vulnerability from certfr_avis - Published: 2026-03-30 - Updated: 2026-03-30
De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | CBL Mariner | cbl2 telegraf 1.29.4-21 versions antérieures à 1.29.4-22 | ||
| Microsoft | Azure Linux | azl3 glibc 2.38-18 versions antérieures à 2.38-19 | ||
| Microsoft | Azure Linux | azl3 squid 6.13-3 versions antérieures à 6.13-4 | ||
| Microsoft | Azure Linux | azl3 python-pyasn1 0.4.8-1 versions antérieures à 0.4.8-2 | ||
| Microsoft | Azure Linux | azl3 nginx 1.28.2-1 versions antérieures à 1.28.3-1 | ||
| Microsoft | CBL Mariner | cbl2 ncurses 6.4-3 versions antérieures à 6.4-4 | ||
| Microsoft | Azure Linux | azl3 kernel 6.6.126.1-1 versions antérieures à 6.6.130.1-1 | ||
| Microsoft | Azure Linux | azl3 ncurses 6.4-2 versions antérieures à 6.4-3 | ||
| Microsoft | CBL Mariner | cbl2 terraform 1.3.2-29 versions antérieures à 1.3.2-30 | ||
| Microsoft | Azure Linux | azl3 libsoup 3.4.4-12 versions antérieures à 3.4.4-14 | ||
| Microsoft | Azure Linux | azl3 etcd 3.5.21-1 versions antérieures à 3.5.28-1 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "cbl2 telegraf 1.29.4-21 versions ant\u00e9rieures \u00e0 1.29.4-22",
"product": {
"name": "CBL Mariner",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 glibc 2.38-18 versions ant\u00e9rieures \u00e0 2.38-19",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 squid 6.13-3 versions ant\u00e9rieures \u00e0 6.13-4",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 python-pyasn1 0.4.8-1 versions ant\u00e9rieures \u00e0 0.4.8-2",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 nginx 1.28.2-1 versions ant\u00e9rieures \u00e0 1.28.3-1",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 ncurses 6.4-3 versions ant\u00e9rieures \u00e0 6.4-4",
"product": {
"name": "CBL Mariner",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 kernel 6.6.126.1-1 versions ant\u00e9rieures \u00e0 6.6.130.1-1",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 ncurses 6.4-2 versions ant\u00e9rieures \u00e0 6.4-3",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 terraform 1.3.2-29 versions ant\u00e9rieures \u00e0 1.3.2-30",
"product": {
"name": "CBL Mariner",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 libsoup 3.4.4-12 versions ant\u00e9rieures \u00e0 3.4.4-14",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 etcd 3.5.21-1 versions ant\u00e9rieures \u00e0 3.5.28-1",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-23318",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23318"
},
{
"name": "CVE-2026-23368",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23368"
},
{
"name": "CVE-2026-23281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23281"
},
{
"name": "CVE-2026-32647",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32647"
},
{
"name": "CVE-2026-23269",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23269"
},
{
"name": "CVE-2026-23293",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23293"
},
{
"name": "CVE-2026-23290",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23290"
},
{
"name": "CVE-2026-27651",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27651"
},
{
"name": "CVE-2026-23303",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23303"
},
{
"name": "CVE-2026-27654",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27654"
},
{
"name": "CVE-2026-23340",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23340"
},
{
"name": "CVE-2026-23253",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23253"
},
{
"name": "CVE-2026-33343",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33343"
},
{
"name": "CVE-2026-23271",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23271"
},
{
"name": "CVE-2026-23268",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23268"
},
{
"name": "CVE-2026-23285",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23285"
},
{
"name": "CVE-2026-23304",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23304"
},
{
"name": "CVE-2026-23357",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23357"
},
{
"name": "CVE-2026-4645",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4645"
},
{
"name": "CVE-2026-23324",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23324"
},
{
"name": "CVE-2026-23347",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23347"
},
{
"name": "CVE-2026-28755",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-28755"
},
{
"name": "CVE-2026-23317",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23317"
},
{
"name": "CVE-2026-23334",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23334"
},
{
"name": "CVE-2026-23391",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23391"
},
{
"name": "CVE-2026-23319",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23319"
},
{
"name": "CVE-2026-23279",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23279"
},
{
"name": "CVE-2026-23244",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23244"
},
{
"name": "CVE-2026-23246",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23246"
},
{
"name": "CVE-2026-30922",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-30922"
},
{
"name": "CVE-2026-23286",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23286"
},
{
"name": "CVE-2026-23359",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23359"
},
{
"name": "CVE-2026-23298",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23298"
},
{
"name": "CVE-2026-23296",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23296"
},
{
"name": "CVE-2026-23396",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23396"
},
{
"name": "CVE-2026-23370",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23370"
},
{
"name": "CVE-2026-23315",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23315"
},
{
"name": "CVE-2026-23352",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23352"
},
{
"name": "CVE-2026-23367",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23367"
},
{
"name": "CVE-2026-32748",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32748"
},
{
"name": "CVE-2026-23300",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23300"
},
{
"name": "CVE-2026-23379",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23379"
},
{
"name": "CVE-2026-23381",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23381"
},
{
"name": "CVE-2026-23392",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23392"
},
{
"name": "CVE-2026-23245",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23245"
},
{
"name": "CVE-2026-4438",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4438"
},
{
"name": "CVE-2026-23364",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23364"
},
{
"name": "CVE-2026-23274",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23274"
},
{
"name": "CVE-2026-23284",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23284"
},
{
"name": "CVE-2026-23397",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23397"
},
{
"name": "CVE-2026-23343",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23343"
},
{
"name": "CVE-2026-23336",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23336"
},
{
"name": "CVE-2025-69720",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69720"
},
{
"name": "CVE-2026-23289",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23289"
},
{
"name": "CVE-2026-23292",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23292"
},
{
"name": "CVE-2026-23277",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23277"
},
{
"name": "CVE-2026-4437",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4437"
},
{
"name": "CVE-2026-27784",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27784"
},
{
"name": "CVE-2026-23388",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23388"
},
{
"name": "CVE-2026-28753",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-28753"
},
{
"name": "CVE-2026-33526",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33526"
},
{
"name": "CVE-2026-23310",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23310"
},
{
"name": "CVE-2026-2369",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2369"
},
{
"name": "CVE-2026-33515",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33515"
},
{
"name": "CVE-2026-23395",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23395"
},
{
"name": "CVE-2026-23100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23100"
},
{
"name": "CVE-2026-23306",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23306"
},
{
"name": "CVE-2026-33413",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33413"
},
{
"name": "CVE-2026-23291",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23291"
},
{
"name": "CVE-2026-23382",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23382"
},
{
"name": "CVE-2026-23312",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23312"
},
{
"name": "CVE-2026-23365",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23365"
},
{
"name": "CVE-2026-23356",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23356"
},
{
"name": "CVE-2026-23307",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23307"
},
{
"name": "CVE-2026-23398",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23398"
},
{
"name": "CVE-2026-23351",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23351"
},
{
"name": "CVE-2026-23390",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23390"
}
],
"initial_release_date": "2026-03-30T00:00:00",
"last_revision_date": "2026-03-30T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0376",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-03-30T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
"vendor_advisories": [
{
"published_at": "2026-03-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-32748",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32748"
},
{
"published_at": "2026-03-22",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-4438",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-4438"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23347",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23347"
},
{
"published_at": "2026-03-20",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23268",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23268"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23392",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23392"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23319",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23319"
},
{
"published_at": "2026-03-20",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23253",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23253"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23296",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23296"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23364",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23364"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23368",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23368"
},
{
"published_at": "2026-03-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-27654",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27654"
},
{
"published_at": "2026-03-21",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-30922",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-30922"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23286",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23286"
},
{
"published_at": "2026-03-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23396",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23396"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23340",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23340"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23324",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23324"
},
{
"published_at": "2026-03-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-33515",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33515"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23318",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23318"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23379",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23379"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23317",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23317"
},
{
"published_at": "2026-03-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-27784",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27784"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23359",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23359"
},
{
"published_at": "2026-03-19",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23245",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23245"
},
{
"published_at": "2026-03-20",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23269",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23269"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23298",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23298"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23304",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23304"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23370",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23370"
},
{
"published_at": "2026-03-22",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23100",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23100"
},
{
"published_at": "2026-03-21",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23271",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23271"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23352",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23352"
},
{
"published_at": "2026-03-28",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-33343",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33343"
},
{
"published_at": "2026-03-22",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-4437",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-4437"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23343",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23343"
},
{
"published_at": "2026-03-28",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-33413",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33413"
},
{
"published_at": "2026-03-19",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23246",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23246"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23279",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23279"
},
{
"published_at": "2026-03-19",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23244",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23244"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23367",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23367"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23307",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23307"
},
{
"published_at": "2026-03-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23398",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23398"
},
{
"published_at": "2026-03-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-69720",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-69720"
},
{
"published_at": "2026-03-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-28755",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-28755"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23300",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23300"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23381",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23381"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23356",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23356"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23351",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23351"
},
{
"published_at": "2026-03-21",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23277",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23277"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23315",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23315"
},
{
"published_at": "2026-03-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-4645",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-4645"
},
{
"published_at": "2026-03-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-33526",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33526"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23382",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23382"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23310",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23310"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23306",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23306"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23336",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23336"
},
{
"published_at": "2026-03-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-2369",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-2369"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23391",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23391"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23290",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23290"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23312",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23312"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23388",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23388"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23390",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23390"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23303",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23303"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23289",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23289"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23293",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23293"
},
{
"published_at": "2026-03-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-27651",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27651"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23291",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23291"
},
{
"published_at": "2026-03-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-28753",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-28753"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23334",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23334"
},
{
"published_at": "2026-03-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-32647",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32647"
},
{
"published_at": "2026-03-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23397",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23397"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23281",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23281"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23365",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23365"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23285",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23285"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23292",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23292"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23284",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23284"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23395",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23395"
},
{
"published_at": "2026-03-21",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23274",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23274"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23357",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23357"
}
]
}
CERTFR-2026-AVI-0352
Vulnerability from certfr_avis - Published: 2026-03-25 - Updated: 2026-03-25
De multiples vulnérabilités ont été découvertes dans les produits F5. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| F5 | NGINX Plus | NGINX Plus versions R32 Px antérieures à R32 P5 | ||
| F5 | NGINX Plus | NGINX Plus versions R35 Px antérieures à R35 P2 | ||
| F5 | NGINX Plus | NGINX Plus versions R36 Px antérieures à R36 P3 | ||
| F5 | NGINX Open Source | Nginx Open Source versions 1.29.x antérieures à 1.29.7 | ||
| F5 | NGINX Open Source | Nginx Open Source versions 1.28.x antérieures à 1.28.3 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "NGINX Plus versions R32 Px ant\u00e9rieures \u00e0 R32 P5",
"product": {
"name": "NGINX Plus",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Plus versions R35 Px ant\u00e9rieures \u00e0 R35 P2",
"product": {
"name": "NGINX Plus",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Plus versions R36 Px ant\u00e9rieures \u00e0 R36 P3",
"product": {
"name": "NGINX Plus",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "Nginx Open Source versions 1.29.x ant\u00e9rieures \u00e0 1.29.7",
"product": {
"name": "NGINX Open Source",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "Nginx Open Source versions 1.28.x ant\u00e9rieures \u00e0 1.28.3",
"product": {
"name": "NGINX Open Source",
"vendor": {
"name": "F5",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-32647",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32647"
},
{
"name": "CVE-2026-27651",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27651"
},
{
"name": "CVE-2026-27654",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27654"
},
{
"name": "CVE-2026-28755",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-28755"
},
{
"name": "CVE-2026-27784",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27784"
},
{
"name": "CVE-2026-28753",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-28753"
}
],
"initial_release_date": "2026-03-25T00:00:00",
"last_revision_date": "2026-03-25T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0352",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-03-25T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits F5. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits F5",
"vendor_advisories": [
{
"published_at": "2026-03-25",
"title": "Bulletin de s\u00e9curit\u00e9 Nginx K000160383",
"url": "https://my.f5.com/manage/s/article/K000160383"
},
{
"published_at": "2026-03-25",
"title": "Bulletin de s\u00e9curit\u00e9 Nginx K000160368",
"url": "https://my.f5.com/manage/s/article/K000160368"
},
{
"published_at": "2026-03-25",
"title": "Bulletin de s\u00e9curit\u00e9 Nginx K000160367",
"url": "https://my.f5.com/manage/s/article/K000160367"
},
{
"published_at": "2026-03-24",
"title": "Bulletin de s\u00e9curit\u00e9 F5 K000160336",
"url": "https://my.f5.com/manage/s/article/K000160336"
},
{
"published_at": "2026-03-25",
"title": "Bulletin de s\u00e9curit\u00e9 Nginx K000160382",
"url": "https://my.f5.com/manage/s/article/K000160382"
},
{
"published_at": "2026-03-25",
"title": "Bulletin de s\u00e9curit\u00e9 Nginx K000160364",
"url": "https://my.f5.com/manage/s/article/K000160364"
},
{
"published_at": "2026-03-25",
"title": "Bulletin de s\u00e9curit\u00e9 Nginx K000160366",
"url": "https://my.f5.com/manage/s/article/K000160366"
}
]
}
WID-SEC-W-2026-0860
Vulnerability from csaf_certbund - Published: 2026-03-24 23:00 - Updated: 2026-04-09 22:00Summary
NGINX und NGINX Plus: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: NGINX Plus ist die kommerzielle Variante von NGINX, einer Webserver-, Reverse Proxy- und E-Mail Proxy Software.
NGINX ist eine Webserver-, Reverse Proxy- und E-Mail-Proxy Software.
Angriff: Ein Angreifer kann mehrere Schwachstellen in NGINX Plus und NGINX ausnutzen, um einen Denial of Service Angriff durchzuführen, um Daten zu manipulieren, um Sicherheitsvorkehrungen zu umgehen, und potenziell um beliebigen Programmcode auszuführen.
Betroffene Betriebssysteme: - Linux
- UNIX
- Windows
References
| URL | Category | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "NGINX Plus ist die kommerzielle Variante von NGINX, einer Webserver-, Reverse Proxy- und E-Mail Proxy Software.\r\nNGINX ist eine Webserver-, Reverse Proxy- und E-Mail-Proxy Software.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in NGINX Plus und NGINX ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren, um Daten zu manipulieren, um Sicherheitsvorkehrungen zu umgehen, und potenziell um beliebigen Programmcode auszuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0860 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0860.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0860 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0860"
},
{
"category": "external",
"summary": "EU Vulnerability Database vom 2026-03-24",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-14880"
},
{
"category": "external",
"summary": "EU Vulnerability Database vom 2026-03-24",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-14881"
},
{
"category": "external",
"summary": "EU Vulnerability Database vom 2026-03-24",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-14883"
},
{
"category": "external",
"summary": "EU Vulnerability Database vom 2026-03-24",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-14885"
},
{
"category": "external",
"summary": "EU Vulnerability Database vom 2026-03-24",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-14887"
},
{
"category": "external",
"summary": "EU Vulnerability Database vom 2026-03-24",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-14897"
},
{
"category": "external",
"summary": "F5 Security Advisory vom 2026-03-24",
"url": "https://my.f5.com/manage/s/article/K000160383"
},
{
"category": "external",
"summary": "F5 Security Advisory vom 2026-03-24",
"url": "https://my.f5.com/manage/s/article/K000160382"
},
{
"category": "external",
"summary": "F5 Security Advisory vom 2026-03-24",
"url": "https://my.f5.com/manage/s/article/K000160364"
},
{
"category": "external",
"summary": "F5 Security Advisory vom 2026-03-24",
"url": "https://my.f5.com/manage/s/article/K000160367"
},
{
"category": "external",
"summary": "F5 Security Advisory vom 2026-03-24",
"url": "https://my.f5.com/manage/s/article/K000160368"
},
{
"category": "external",
"summary": "F5 Security Advisory vom 2026-03-24",
"url": "https://my.f5.com/manage/s/article/K000160366"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2026-4DE4D247A0 vom 2026-03-25",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-4de4d247a0"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:10423-1 vom 2026-03-28",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XQVD3WMISNZQSD5MXTECPJHIO3LBJKQ7/"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-6906 vom 2026-04-08",
"url": "https://linux.oracle.com/errata/ELSA-2026-6906.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:6907 vom 2026-04-08",
"url": "https://access.redhat.com/errata/RHSA-2026:6907"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:6906 vom 2026-04-08",
"url": "https://access.redhat.com/errata/RHSA-2026:6906"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:6923 vom 2026-04-08",
"url": "https://errata.build.resf.org/RLSA-2026:6923"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:6923 vom 2026-04-08",
"url": "https://access.redhat.com/errata/RHSA-2026:6923"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:7002 vom 2026-04-08",
"url": "https://access.redhat.com/errata/RHSA-2026:7002"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-6923 vom 2026-04-08",
"url": "https://linux.oracle.com/errata/ELSA-2026-6923.html"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:6907 vom 2026-04-09",
"url": "https://errata.build.resf.org/RLSA-2026:6907"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:7343 vom 2026-04-09",
"url": "https://access.redhat.com/errata/RHSA-2026:7343"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-7002 vom 2026-04-09",
"url": "https://linux.oracle.com/errata/ELSA-2026-7002.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-6907 vom 2026-04-09",
"url": "https://linux.oracle.com/errata/ELSA-2026-6907.html"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:6906 vom 2026-04-09",
"url": "https://errata.build.resf.org/RLSA-2026:6906"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:7343 vom 2026-04-10",
"url": "https://errata.build.resf.org/RLSA-2026:7343"
}
],
"source_lang": "en-US",
"title": "NGINX und NGINX Plus: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-04-09T22:00:00.000+00:00",
"generator": {
"date": "2026-04-10T07:10:07.356+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0860",
"initial_release_date": "2026-03-24T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-03-24T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-03-25T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Fedora aufgenommen"
},
{
"date": "2026-03-29T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2026-04-07T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Oracle Linux, Red Hat und Rocky Enterprise Software Foundation aufgenommen"
},
{
"date": "2026-04-08T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Oracle Linux und Rocky Enterprise Software Foundation aufgenommen"
},
{
"date": "2026-04-09T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Red Hat, Oracle Linux und Rocky Enterprise Software Foundation aufgenommen"
}
],
"status": "final",
"version": "6"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Fedora Linux",
"product": {
"name": "Fedora Linux",
"product_id": "74185",
"product_identification_helper": {
"cpe": "cpe:/o:fedoraproject:fedora:-"
}
}
}
],
"category": "vendor",
"name": "Fedora"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.29.7",
"product": {
"name": "NGINX NGINX \u003c1.29.7",
"product_id": "T052140"
}
},
{
"category": "product_version",
"name": "1.29.7",
"product": {
"name": "NGINX NGINX 1.29.7",
"product_id": "T052140-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nginx:nginx:1.29.7"
}
}
},
{
"category": "product_version_range",
"name": "\u003c1.28.3",
"product": {
"name": "NGINX NGINX \u003c1.28.3",
"product_id": "T052141"
}
},
{
"category": "product_version",
"name": "1.28.3",
"product": {
"name": "NGINX NGINX 1.28.3",
"product_id": "T052141-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nginx:nginx:1.28.3"
}
}
}
],
"category": "product_name",
"name": "NGINX"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cR36 P3",
"product": {
"name": "NGINX NGINX Plus \u003cR36 P3",
"product_id": "T052137"
}
},
{
"category": "product_version",
"name": "R36 P3",
"product": {
"name": "NGINX NGINX Plus R36 P3",
"product_id": "T052137-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nginx:nginx_plus:r36_p3"
}
}
},
{
"category": "product_version_range",
"name": "\u003cR35 P2",
"product": {
"name": "NGINX NGINX Plus \u003cR35 P2",
"product_id": "T052138"
}
},
{
"category": "product_version",
"name": "R35 P2",
"product": {
"name": "NGINX NGINX Plus R35 P2",
"product_id": "T052138-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nginx:nginx_plus:r35_p2"
}
}
},
{
"category": "product_version_range",
"name": "\u003cR32 P5",
"product": {
"name": "NGINX NGINX Plus \u003cR32 P5",
"product_id": "T052139"
}
},
{
"category": "product_version",
"name": "R32 P5",
"product": {
"name": "NGINX NGINX Plus R32 P5",
"product_id": "T052139-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nginx:nginx_plus:r32_p5"
}
}
}
],
"category": "product_name",
"name": "NGINX Plus"
}
],
"category": "vendor",
"name": "NGINX"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "RESF Rocky Linux",
"product": {
"name": "RESF Rocky Linux",
"product_id": "T032255",
"product_identification_helper": {
"cpe": "cpe:/o:resf:rocky_linux:-"
}
}
}
],
"category": "vendor",
"name": "RESF"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-27651",
"product_status": {
"known_affected": [
"T052140",
"T052141",
"67646",
"T027843",
"T052139",
"T052137",
"T052138",
"T004914",
"T032255",
"74185"
]
},
"release_date": "2026-03-24T23:00:00.000+00:00",
"title": "CVE-2026-27651"
},
{
"cve": "CVE-2026-27654",
"product_status": {
"known_affected": [
"T052140",
"T052141",
"67646",
"T027843",
"T052139",
"T052137",
"T052138",
"T004914",
"T032255",
"74185"
]
},
"release_date": "2026-03-24T23:00:00.000+00:00",
"title": "CVE-2026-27654"
},
{
"cve": "CVE-2026-27784",
"product_status": {
"known_affected": [
"T052140",
"T052141",
"67646",
"T027843",
"T052139",
"T052137",
"T052138",
"T004914",
"T032255",
"74185"
]
},
"release_date": "2026-03-24T23:00:00.000+00:00",
"title": "CVE-2026-27784"
},
{
"cve": "CVE-2026-32647",
"product_status": {
"known_affected": [
"T052140",
"T052141",
"67646",
"T027843",
"T052139",
"T052137",
"T052138",
"T004914",
"T032255",
"74185"
]
},
"release_date": "2026-03-24T23:00:00.000+00:00",
"title": "CVE-2026-32647"
},
{
"cve": "CVE-2026-28755",
"product_status": {
"known_affected": [
"T052140",
"T052141",
"67646",
"T027843",
"T052139",
"T052137",
"T052138",
"T004914",
"T032255",
"74185"
]
},
"release_date": "2026-03-24T23:00:00.000+00:00",
"title": "CVE-2026-28755"
},
{
"cve": "CVE-2026-28753",
"product_status": {
"known_affected": [
"T052140",
"T052141",
"67646",
"T027843",
"T052139",
"T052137",
"T052138",
"T004914",
"T032255",
"74185"
]
},
"release_date": "2026-03-24T23:00:00.000+00:00",
"title": "CVE-2026-28753"
}
]
}
GHSA-HGFR-JMPR-2P89
Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-03-24 15:30
VLAI?
Details
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity ?
5.4 (Medium)
{
"affected": [],
"aliases": [
"CVE-2026-28755"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-24T15:16:33Z",
"severity": "MODERATE"
},
"details": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. \u00a0 \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-hgfr-jmpr-2p89",
"modified": "2026-03-24T15:30:29Z",
"published": "2026-03-24T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28755"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000160368"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
bit-nginx-2026-28755
Vulnerability from bitnami_vulndb
Published
2026-03-27 07:10
Modified
2026-03-27 07:40
Summary
NGINX ngx_stream_ssl_module vulnerability
Details
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "nginx",
"purl": "pkg:bitnami/nginx"
},
"ranges": [
{
"events": [
{
"introduced": "1.27.2"
},
{
"fixed": "1.28.3"
},
{
"introduced": "1.29.0"
},
{
"fixed": "1.29.7"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
],
"aliases": [
"CVE-2026-28755"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*"
],
"severity": "Medium"
},
"details": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. \u00a0 \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "BIT-nginx-2026-28755",
"modified": "2026-03-27T07:40:55.991Z",
"published": "2026-03-27T07:10:13.976Z",
"references": [
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000160368"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28755"
}
],
"schema_version": "1.6.2",
"summary": "NGINX ngx_stream_ssl_module vulnerability"
}
OPENSUSE-SU-2026:10423-1
Vulnerability from csaf_opensuse - Published: 2026-03-25 00:00 - Updated: 2026-03-25 00:00Summary
nginx-1.29.7-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: nginx-1.29.7-1.1 on GA media
Description of the patch: These are all security issues fixed in the nginx-1.29.7-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10423
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
8.2 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
7.8 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
5.4 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
7.8 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "nginx-1.29.7-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the nginx-1.29.7-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10423",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10423-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27651 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27651/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27654 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27654/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27784 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27784/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-28753 page",
"url": "https://www.suse.com/security/cve/CVE-2026-28753/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-28755 page",
"url": "https://www.suse.com/security/cve/CVE-2026-28755/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32647 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32647/"
}
],
"title": "nginx-1.29.7-1.1 on GA media",
"tracking": {
"current_release_date": "2026-03-25T00:00:00Z",
"generator": {
"date": "2026-03-25T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10423-1",
"initial_release_date": "2026-03-25T00:00:00Z",
"revision_history": [
{
"date": "2026-03-25T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "nginx-1.29.7-1.1.aarch64",
"product": {
"name": "nginx-1.29.7-1.1.aarch64",
"product_id": "nginx-1.29.7-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nginx-source-1.29.7-1.1.aarch64",
"product": {
"name": "nginx-source-1.29.7-1.1.aarch64",
"product_id": "nginx-source-1.29.7-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nginx-1.29.7-1.1.ppc64le",
"product": {
"name": "nginx-1.29.7-1.1.ppc64le",
"product_id": "nginx-1.29.7-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nginx-source-1.29.7-1.1.ppc64le",
"product": {
"name": "nginx-source-1.29.7-1.1.ppc64le",
"product_id": "nginx-source-1.29.7-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nginx-1.29.7-1.1.s390x",
"product": {
"name": "nginx-1.29.7-1.1.s390x",
"product_id": "nginx-1.29.7-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nginx-source-1.29.7-1.1.s390x",
"product": {
"name": "nginx-source-1.29.7-1.1.s390x",
"product_id": "nginx-source-1.29.7-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nginx-1.29.7-1.1.x86_64",
"product": {
"name": "nginx-1.29.7-1.1.x86_64",
"product_id": "nginx-1.29.7-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nginx-source-1.29.7-1.1.x86_64",
"product": {
"name": "nginx-source-1.29.7-1.1.x86_64",
"product_id": "nginx-source-1.29.7-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.29.7-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64"
},
"product_reference": "nginx-1.29.7-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.29.7-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le"
},
"product_reference": "nginx-1.29.7-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.29.7-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x"
},
"product_reference": "nginx-1.29.7-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.29.7-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64"
},
"product_reference": "nginx-1.29.7-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-source-1.29.7-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64"
},
"product_reference": "nginx-source-1.29.7-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-source-1.29.7-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le"
},
"product_reference": "nginx-source-1.29.7-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-source-1.29.7-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x"
},
"product_reference": "nginx-source-1.29.7-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-source-1.29.7-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
},
"product_reference": "nginx-source-1.29.7-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-27651",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27651"
}
],
"notes": [
{
"category": "general",
"text": "When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27651",
"url": "https://www.suse.com/security/cve/CVE-2026-27651"
},
{
"category": "external",
"summary": "SUSE Bug 1260415 for CVE-2026-27651",
"url": "https://bugzilla.suse.com/1260415"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-27651"
},
{
"cve": "CVE-2026-27654",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27654"
}
],
"notes": [
{
"category": "general",
"text": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27654",
"url": "https://www.suse.com/security/cve/CVE-2026-27654"
},
{
"category": "external",
"summary": "SUSE Bug 1260416 for CVE-2026-27654",
"url": "https://bugzilla.suse.com/1260416"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-27654"
},
{
"cve": "CVE-2026-27784",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27784"
}
],
"notes": [
{
"category": "general",
"text": "The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27784",
"url": "https://www.suse.com/security/cve/CVE-2026-27784"
},
{
"category": "external",
"summary": "SUSE Bug 1260417 for CVE-2026-27784",
"url": "https://bugzilla.suse.com/1260417"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-27784"
},
{
"cve": "CVE-2026-28753",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-28753"
}
],
"notes": [
{
"category": "general",
"text": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-28753",
"url": "https://www.suse.com/security/cve/CVE-2026-28753"
},
{
"category": "external",
"summary": "SUSE Bug 1260418 for CVE-2026-28753",
"url": "https://bugzilla.suse.com/1260418"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2026-28753"
},
{
"cve": "CVE-2026-28755",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-28755"
}
],
"notes": [
{
"category": "general",
"text": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-28755",
"url": "https://www.suse.com/security/cve/CVE-2026-28755"
},
{
"category": "external",
"summary": "SUSE Bug 1260419 for CVE-2026-28755",
"url": "https://bugzilla.suse.com/1260419"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-28755"
},
{
"cve": "CVE-2026-32647",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32647"
}
],
"notes": [
{
"category": "general",
"text": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32647",
"url": "https://www.suse.com/security/cve/CVE-2026-32647"
},
{
"category": "external",
"summary": "SUSE Bug 1260420 for CVE-2026-32647",
"url": "https://bugzilla.suse.com/1260420"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
"openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-32647"
}
]
}
MSRC_CVE-2026-28755
Vulnerability from csaf_microsoft - Published: 2026-03-02 00:00 - Updated: 2026-03-28 14:38Summary
NGINX ngx_stream_ssl_module vulnerability
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
5.4 (Medium)
Vendor Fix
1.28.3-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
https://learn.microsoft.com/en-us/azure/azure-lin…
Vendor Fix
1.22.1-16:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
https://learn.microsoft.com/en-us/azure/azure-lin…
References
| URL | Category | |
|---|---|---|
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2026-28755 NGINX ngx_stream_ssl_module vulnerability - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-28755.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "NGINX ngx_stream_ssl_module vulnerability",
"tracking": {
"current_release_date": "2026-03-28T14:38:55.000Z",
"generator": {
"date": "2026-03-29T07:23:46.507Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2026-28755",
"initial_release_date": "2026-03-02T00:00:00.000Z",
"revision_history": [
{
"date": "2026-03-27T01:02:26.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2026-03-27T14:45:20.000Z",
"legacy_version": "2",
"number": "2",
"summary": "Information published."
},
{
"date": "2026-03-28T14:38:55.000Z",
"legacy_version": "3",
"number": "3",
"summary": "Information published."
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
},
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 nginx 1.28.2-1",
"product": {
"name": "\u003cazl3 nginx 1.28.2-1",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "azl3 nginx 1.28.2-1",
"product": {
"name": "azl3 nginx 1.28.2-1",
"product_id": "21076"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 nginx 1.22.1-15",
"product": {
"name": "\u003ccbl2 nginx 1.22.1-15",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "cbl2 nginx 1.22.1-15",
"product": {
"name": "cbl2 nginx 1.22.1-15",
"product_id": "21077"
}
}
],
"category": "product_name",
"name": "nginx"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 nginx 1.28.2-1 as a component of Azure Linux 3.0",
"product_id": "17084-2"
},
"product_reference": "2",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 nginx 1.28.2-1 as a component of Azure Linux 3.0",
"product_id": "21076-17084"
},
"product_reference": "21076",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 nginx 1.22.1-15 as a component of CBL Mariner 2.0",
"product_id": "17086-1"
},
"product_reference": "1",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 nginx 1.22.1-15 as a component of CBL Mariner 2.0",
"product_id": "21077-17086"
},
"product_reference": "21077",
"relates_to_product_reference": "17086"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-28755",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"notes": [
{
"category": "general",
"text": "f5",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"21076-17084",
"21077-17086"
],
"known_affected": [
"17084-2",
"17086-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-28755 NGINX ngx_stream_ssl_module vulnerability - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-28755.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-27T01:02:26.000Z",
"details": "1.28.3-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-2"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2026-03-27T01:02:26.000Z",
"details": "1.22.1-16:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalsScore": 0.0,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 5.4,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"17084-2",
"17086-1"
]
}
],
"title": "NGINX ngx_stream_ssl_module vulnerability"
}
]
}
FKIE_CVE-2026-28755
Vulnerability from fkie_nvd - Published: 2026-03-24 15:16 - Updated: 2026-03-26 14:09
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
References
| URL | Tags | ||
|---|---|---|---|
| f5sirt@f5.com | https://my.f5.com/manage/s/article/K000160368 | Vendor Advisory, Mitigation |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| f5 | nginx_plus | r33 | |
| f5 | nginx_plus | r33 | |
| f5 | nginx_plus | r33 | |
| f5 | nginx_plus | r33 | |
| f5 | nginx_plus | r34 | |
| f5 | nginx_plus | r34 | |
| f5 | nginx_plus | r34 | |
| f5 | nginx_plus | r35 | |
| f5 | nginx_plus | r36 | |
| f5 | nginx_plus | r36 | |
| f5 | nginx_plus | r36 | |
| f5 | nginx_open_source | * | |
| f5 | nginx_open_source | * | |
| f5 | nginx_open_source | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*",
"matchCriteriaId": "4F58BD02-EA76-4F32-87D6-430026C8553E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*",
"matchCriteriaId": "46DC49B8-7286-4867-9CDA-1C1B469CD304",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*",
"matchCriteriaId": "43477C2E-7485-4146-B25C-F58D632CD85B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*",
"matchCriteriaId": "6A25B9CF-02C0-42DE-9C70-F2AD3ACE3CEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:*",
"matchCriteriaId": "86358605-55F9-4F6F-846A-3F48738F6E05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*",
"matchCriteriaId": "7453D683-FCA7-46EE-BE49-5FD9A01D7F87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*",
"matchCriteriaId": "A977BF9F-D165-4B93-B4D2-A177883A5E75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*",
"matchCriteriaId": "4958360C-7993-4C82-8685-202D4940CE01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_plus:r36:*:*:*:*:*:*:*",
"matchCriteriaId": "942CA349-3FF8-4B9D-B87E-FBA8930CE913",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*",
"matchCriteriaId": "7993A0FB-BE7E-4634-BF7F-FDEE3582D3E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*",
"matchCriteriaId": "862EA47E-8D57-434E-9C8F-238325FB85B2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BABB440C-6106-42C6-8E67-101182F26C86",
"versionEndIncluding": "0.9.7",
"versionStartIncluding": "0.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F07D30E-931D-415D-83C6-59F1EC804688",
"versionEndExcluding": "1.28.3",
"versionStartIncluding": "1.27.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0EFE28B-E8E5-464E-B407-96436CA87C8E",
"versionEndExcluding": "1.29.7",
"versionStartIncluding": "1.29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. \u00a0 \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
},
{
"lang": "es",
"value": "NGINX Plus y NGINX Open Source tienen una vulnerabilidad en el m\u00f3dulo ngx_stream_ssl_module debido al manejo inadecuado de certificados revocados cuando se configura con las directivas ssl_verify_client on y ssl_ocsp on, permitiendo que el handshake TLS tenga \u00e9xito incluso despu\u00e9s de que una verificaci\u00f3n OCSP identifique el certificado como revocado.\n\nNota: Las versiones de software que han alcanzado el Fin de Soporte T\u00e9cnico (EoTS) no son evaluadas."
}
],
"id": "CVE-2026-28755",
"lastModified": "2026-03-26T14:09:37.177",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "f5sirt@f5.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "f5sirt@f5.com",
"type": "Secondary"
}
]
},
"published": "2026-03-24T15:16:33.773",
"references": [
{
"source": "f5sirt@f5.com",
"tags": [
"Vendor Advisory",
"Mitigation"
],
"url": "https://my.f5.com/manage/s/article/K000160368"
}
],
"sourceIdentifier": "f5sirt@f5.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "f5sirt@f5.com",
"type": "Primary"
}
]
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…