Ctrl + K
/ news / CVE
CVEPublished 2026-05-22Modified 2026-06-181 article on news5 live referencesNVD data

CVE-2026-9256F5 · Nginx_open_source

Vulnerability data via NVD (ingested)

CVSS v3.1
8.1
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS percentile
55
Exploit Prediction Scoring System · top 45% of all CVEs
Weaknesses (CWE)
CWE-122Heap-based Buffer Overflow
Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Timeline
Published 2026-05-22
Modified 2026-06-18

External references

NVDMITREExploit-DBSploitusVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts
vuln:CVE-2026-9256
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product
product:"F5 Nginx Open Source"
All exposed F5 Nginx Open Source instances — cross-reference with the CVE's affected-version range.
Shodan · banner/body mention
http.html:"Nginx Open Source"
HTTP body or banner mentions "Nginx Open Source" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2026-9256
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-9256
Censys host search filtered to this CVE id.
grep.app
CVE-2026-9256
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-9256
GitHub code search for direct mentions.
Google dork
"CVE-2026-9256" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (8)

CVE-2026-92568 repos
nomi-sec/PoC-in-GitHubunknown
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
★ 7,850·updated today
GhostTroops/TOPShell
TOP All bugbounty pentesting CVE-2023- POC Exp RCE example payload Things
★ 731·updated today
Threekiii/CVEunknown
一个 CVE 漏洞预警知识库,无 exp/poc,部分包含修复方案。A knowledge base of CVE security vulnerability, no PoCs/exploits.
★ 170·updated today
lyonzin/knowledge-ragPython
[knowledge-rag] - Drop docs, search instantly from Claude Code — 13 MCP tools, 20 format parsers, hybrid search + reranking. Zero servers, zero API keys, 100% local.
★ 101·updated today
DarkFunct/TK-CVE-RepoPython
TK-CVE-Repo
★ 50·updated 2w ago
friparia/NGINX_RIFT_SCAN_CVE_2026_42945Python
Nginx Rewrite CVE Scan(CVE-2026-42945 nginx-rift CVE-2026-9256)
★ 34·updated 3w ago
lowphpcom/wnmpShell
WNMP One‑Click Stack | WebDAV · Nginx · PHP · MariaDB · Kernel Tuning
★ 25·updated 3d ago
califio/ngxrayPython
ngxray — nginx config security scanner
★ 23·updated 3w ago
Articles on news mentioning CVE-2026-9256