CVE-2026-28753

CWE-939 documents9 sources

Severity

6.3MEDIUM

EPSS

0.0%

top 93.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Nginx Open Source F5 Nginx Plus

Timeline

PublishedMar 24

Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

▶CVEListV5f5/nginx_open_source0.6.27 — 1.28.3+1

▶NVDf5/nginx_open_source1.0.0 — 1.28.3+2

▶CVEListV5f5/nginx_plusR36 — R36 P3+4

▶NVDf5/nginx_plus5 versions+4

▶Debiannginx< 1.28.3-1

🔴Vulnerability Details

GHSA

GHSA-ggr6-fmr8-2m8g: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS respons↗2026-03-24

▶

OSV

CVE-2026-28753: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS respons↗2026-03-24

▶

CVEList

NGINX ngx_mail_proxy_module vulnerability↗2026-03-24

▶

📋Vendor Advisories

Red Hat

NGINX: NGINX Plus: NGINX Open Source: NGINX Plus and NGINX Open Source: Request manipulation via header injection in SMTP upstream requests↗2026-03-24

▶

CVE-2026-28753: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling...↗2026-03-24

▶

Microsoft

NGINX ngx_mail_proxy_module vulnerability↗2026-03-10

▶

Debian

CVE-2026-28753: nginx - NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_modul...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-28753 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶