CVE-2026-27944 — Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Discl

Description

Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure in github.com/0xJacky/Nginx-UI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/0xJacky/Nginx-UI before v2.3.3.

How to fix CVE-2026-27944

To remediate CVE-2026-27944, upgrade the affected package to a fixed version below.

—upgrade to 2.3.3 or later
—no fix listed

Is CVE-2026-27944 being exploited?

Moderate — EPSS is 7.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 2.3.3
from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-27944
PATCHgithub.com/0xJacky/nginx-ui
WEBcsrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final
WEBgithub.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762