CVE-2026-8711

HIGH 8.1

NGINX JavaScript vulnerability

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE	CWE-122
Vendor	f5
Product	nginx javascript
Published	May 19, 2026
Last Updated	May 20, 2026

Stay Ahead of the Next One

Get instant alerts for f5 nginx javascript

Be the first to know when new high vulnerabilities affecting f5 nginx javascript are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

F5 / NGINX JavaScript

0.9.4 < 0.9.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

my.f5.com: https://my.f5.com/manage/s/article/K000161307

Credits

🔍 "F5 acknowledges udolemi (S2W) for bringing this issue to our attention and following the highest standards of coordinated disclosure."