CRITICAL9.8CVE-2026-33032nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover in github.com/0xJacky/Nginx-UI from 0
CRITICAL9.8CVE-2026-33032nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover in github.com/0xJacky/Nginx-UI from 0, <= 1.99
CRITICAL9.8CVE-2026-27944Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure in github.com/0xJacky/Nginx-UI from 0, < 2.3.3
CRITICAL9.8Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure in github.com/0xJacky/Nginx-UI
from 0
CRITICAL9.8Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature in github.com/0xJacky/Nginx-UI
from 0, < 2.0.0-beta.12
CRITICAL9.8Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature in github.com/0xJacky/Nginx-UI
from 0
HIGH8.8Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF in github.com/0xJacky/Nginx-UI
from 0, < 2.0.0-beta.12
HIGH8.8Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF in github.com/0xJacky/Nginx-UI
from 0
HIGH8.5Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services
from 0, <= 2.3.4
HIGH8.1Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
>= 2.0.0, < 2.3.8
HIGH8.1Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints
from 0, < 1.9.10-0.20260316053337-1a9cd29a3082
HIGH8.1Nginx-UI: Disabled users retain full API access through previously issued bearer tokens
from 0, < 1.9.10-0.20260314152518-7b66578adb47
HIGH7.7Remote command execution in github.com/0xJacky/Nginx-UI
from 0, < 1.9.10-0.20231219184941-827e76c46e63
HIGH7.7Remote command execution in github.com/0xJacky/Nginx-UI
from 0, < 2.0.0.beta.9
HIGH7.1Arbitrary command execution in github.com/0xJacky/Nginx-UI
from 0, < 2.0.0.beta.9
HIGH7.1Arbitrary command execution in github.com/0xJacky/Nginx-UI
from 0, < 1.9.10-0.20231219184941-827e76c46e63
HIGH7.0SQL injection in github.com/0xJacky/Nginx-UI
from 0, < 2.0.0.beta.9
HIGH7.0SQL injection in github.com/0xJacky/Nginx-UI
from 0, < 1.9.10-0.20231219195202-ec93ab05a3ec
MEDIUM6.5Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback
from 0, <= 1.9.9
—nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval in github.com/0xJacky/Nginx-UI
from 0
—nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval in github.com/0xJacky/Nginx-UI
from 0, <= 1.99
—nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse in github.com/0xJacky/Nginx-UI
from 0, <= 1.99
—nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse in github.com/0xJacky/Nginx-UI
from 0
—Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation in github.com/0xJacky/Nginx-UI
from 0
—Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation in github.com/0xJacky/Nginx-UI
from 0, <= 1.99
—nginx-ui Backup Restore Allows Tampering with Encrypted Backups in github.com/0xJacky/Nginx-UI
from 0
—nginx-ui Backup Restore Allows Tampering with Encrypted Backups in github.com/0xJacky/Nginx-UI
from 0, <= 1.9.9