The main branch nginx 1.29.7 has been released, with ongoing development of new features along with parallel maintenance of the stable branch nginx 1.28.3, focused on fixing serious bugs and vulnerabilities. The latest updates address 6 vulnerabilities, including three buffer overflows. Four vulnerabilities are rated as high severity with a score of 8.8 or 8.5 out of 10.
- CVE-2026-27654 – Buffer overflow in the ngx_http_dav_module module, affecting WebDAV COPY and MOVE requests, allowing modifications to file paths to extend outside the base directory.
- CVE-2026-27784, CVE-2026-32647 – buffer overflows in the ngx_http_mp4_module module when handling specific mp4 files, potentially leading to more than just crashing processes.
- CVE-2026-27651 – Null pointer dereference vulnerability when using CRAM-MD5 or APOP authentication methods incorrectly.
- CVE-2026-28753 – Manipulation of PTR records in DNS can substitute attacker data in auth_http requests and command XCLIENT in the SMTP connection to the backend.
/Reports, release notes, official announcements.