18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE

thehackernews.com·May 14, 2026

Cybersecurity researchers have revealed several vulnerabilities in NGINX Plus and NGINX Open, including a critical heap buffer overflow flaw in the ngx_http_rewrite_module, which has existed for 18 years and could enable remote code execution.

The critical vulnerability in NGINX Plus and NGINX Open, CVE-2026-42945, demonstrates the importance of regular and thorough code audits, even in widely-used and mature software, as it remained undetected for 18 years. This highlights the need for implementing continuous vulnerability assessments and integrating automated scanning tools to identify potential threats early, especially in components like ngx_http_rewrite_module that are integral to web server operations.

Want more content like this?

twixb tracks your favorite blogs and social media, filters by keywords, and delivers personalized key learnings — straight to your inbox.

Create Your Own →Explore Newsfeeds

More from Cybersecurity News

Recent stories curated alongside this one.

Browse all Cybersecurity News →

18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE

Want more content like this?

More from Cybersecurity News

New Fragnesia Linux flaw lets attackers gain root privileges

New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption

West Pharmaceutical says hackers stole data, encrypted systems

Checkbox Assessments Aren't Fit to Measure to Risk

Tables Turn on 'The Gentlemen' RaaS Gang With Data Leak