CVE-2026-8711— NGINX JavaScript vulnerability
Possible ATT&CK Techniques 2AI
T1068 · Exploitation for Privilege Escalation T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| F5 | NGINX JavaScript | 0.9.4< 0.9.9 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-8711
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
NGINX JavaScript vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
堆缓冲区溢出
Source: NVD (National Vulnerability Database)
Vulnerability Title
NGINX JavaScript 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
NGINX JavaScript是NGINX开源的一个扩展。 NGINX JavaScript存在安全漏洞,该漏洞源于js_fetch_proxy指令配置客户端控制的NGINX变量时,可能导致堆缓冲区溢出,进而导致工作进程重启;在ASLR禁用时可能执行代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| F5 | NGINX JavaScript | 0.9.4 ~ 0.9.9 | - |
II. Public POCs for CVE-2026-8711
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-8711
请登录查看更多情报信息。
- https://my.f5.com/manage/s/article/K000161307vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-8711
IV. Related Vulnerabilities
Same vendor: F5
Same weakness: CWE-122
- CVE-2026-45252
Heap overflow in FUSE_LISTXATTR - CVE-2026-44050
Heap buffer overflow in CNID daemon comm_rcv() - CVE-2026-9149
Libsolv: heap buffer overflow in libsolv repo_add_solv via n - CVE-2026-8631
HP Linux Imaging and Printing Software – Potential Escalatio - CVE-2026-9123
Chrome Android/Linux/ChromeOS堆缓冲区溢出漏洞
V. Comments for CVE-2026-8711
No comments yet