CVE-2026-27654 - Vulnerability Analysis
HighCVSS: 8.2Last Updated: March 24, 2026
NGINX - Buffer Overflow
Published: March 24, 2026Updated: March 24, 2026Remote Exploitable
Overview
NGINX Open Source and NGINX Plus contain a buffer overflow caused by improper handling of DAV module MOVE or COPY methods with prefix location and alias directives, letting attackers cause worker process termination or modify file names outside document root, exploit requires specific configuration with DAV module MOVE or COPY methods.
Severity & Score
Severity: High
CVSS Score: 8.2
Impact
Attackers can terminate worker processes or modify file names outside document root, potentially disrupting service or causing limited file tampering.
Mitigation
Update to the latest supported version of NGINX Open Source or NGINX Plus.
Related Resources
Details
- CVE ID
- CVE-2026-27654
- Severity
- High
- CVSS Score
- 8.2
- Type
- buffer_overflow
- Status
- unconfirmed
CWE
- CWE-122
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H