cbcvebase.
CVE-2026-8711
published 2026-05-19

CVE-2026-8711: NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.89%
54.8th percentile
NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected

3 ranges
VendorProductVersion rangeFixed in
f5nginx_javascript>= 0.9.4 < 0.9.90.9.9
f5njs>= 0.9.4 < 0.9.90.9.9
ubuntulibnginx-mod-js

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: js_fetch_proxy directive configured with a client-controlled NGINX variable (e.g., $http_*, $arg_*, $cookie_*) AND a location invoking ngx.fetch() — crafted HTTP requests to such an endpoint are the attack vector.
  • Monitor NGINX worker process for unexpected crashes/restarts, which may indicate heap buffer overflow exploitation attempts against this vulnerability.
  • Higher-severity impact (RCE) on systems with ASLR disabled or where ASLR can be bypassed; prioritize patching or ASLR enforcement on affected NGINX hosts.
  • ·Vulnerability is only exploitable when js_fetch_proxy is configured with at least one client-controlled NGINX variable (e.g., $http_*, $arg_*, $cookie_*) AND a location block invokes ngx.fetch() via NGINX JavaScript. Configurations not meeting both conditions are not affected.
  • ·Software versions that have reached End of Technical Support (EoTS) are not evaluated for this CVE.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.