| 2023-10-10 | CVE-2023-44487 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | 7.5 |
| 2022-03-23 | CVE-2021-3618 | ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. | 7.4 |
| 2021-06-06 | CVE-2017-20005 | Integer Overflow or Wraparound vulnerability in multiple products
NGINX before 1.13.6 has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module. | 9.8 |
| 2021-06-01 | CVE-2021-23017 | A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact. | 7.7 |
| 2020-01-09 | CVE-2019-20372 | HTTP Request Smuggling vulnerability in multiple products
NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. | 5.3 |
| 2019-08-13 | CVE-2019-9516 | Allocation of Resources Without Limits or Throttling vulnerability in multiple products
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. | 6.5 |
| 2019-08-13 | CVE-2019-9513 | Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. | 7.5 |
| 2019-08-13 | CVE-2019-9511 | Allocation of Resources Without Limits or Throttling vulnerability in multiple products
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. | 7.5 |
| 2018-11-07 | CVE-2018-16845 | nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. | 6.1 |
| 2017-07-13 | CVE-2017-7529 | Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request. | 7.5 |