CVE-2026-27654
Severity
8.8HIGH
EPSS
0.0%
top 90.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 24
Latest updateApr 14
Description
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configu…
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
Affected Packages5 packages
🔴Vulnerability Details
4VulDB▶
F5 NGINX Open Source/NGINX Plus DAV Module ngx_http_dav_module heap-based overflow (K000160382 / Nessus ID 305582)↗2026-04-14
OSV▶
CVE-2026-27654: NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to t↗2026-03-24
GHSA▶
GHSA-6r46-2qjx-j5j3: NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to t↗2026-03-24
📋Vendor Advisories
4Red Hat▶
NGINX: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module↗2026-03-24
F5▶
CVE-2026-27654: NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker ...↗2026-03-24
Debian▶
CVE-2026-27654: nginx - NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module...↗2026
🕵️Threat Intelligence
1💬Community
1Bugzilla▶
CVE-2026-27654 NGINX: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module↗2026-03-24