Nginx on HackingPassion.com : root@HackingPassion.com-[~]https://hackingpassion.com/tags/nginx/Recent content in Nginx on HackingPassion.com : root@HackingPassion.com-[~]HugoenWed, 03 Jun 2026 13:38:05 +0200HTTP/2 Bomb Takes Down nginx Apache IIS Envoy and Cloudflarehttps://hackingpassion.com/http2-bomb-remote-dos/Wed, 03 Jun 2026 13:38:05 +0200https://hackingpassion.com/http2-bomb-remote-dos/<p>A new exploit called <strong>HTTP/2 Bomb</strong> lets one ordinary home computer take down nginx, Apache, Microsoft IIS, Envoy and Cloudflare Pingora, the web servers behind a huge share of the internet, <strong>in a matter of seconds</strong>.</p> <p>It forces those servers to tie up <strong>tens of gigabytes of memory</strong> until they stop responding, it abuses the configuration they ship with by default, and when the research went public three of the five still had no patch.</p>NGINX Has Had This Bug Since 2008 and One Request Is Enough to Trigger Ithttps://hackingpassion.com/nginx-rift-cve-2026-42945/Thu, 14 May 2026 13:22:10 +0200https://hackingpassion.com/nginx-rift-cve-2026-42945/<p><strong>NGINX Rift:</strong> An 18-year-old memory corruption bug in NGINX, the web server running on roughly one-third of all websites globally, lets an unauthenticated attacker crash a server with a single crafted HTTP request. On systems where ASLR is disabled, that same request achieves remote code execution. The bug has been in every standard build since 2008. It was publicly disclosed yesterday, after being found by an AI system in six hours.</p>Nginx-UI MCPwn (CVE-2026-33032): Full Server Takeover With One Unauthenticated Requesthttps://hackingpassion.com/nginx-ui-mcpwn-cve-2026-33032/Thu, 16 Apr 2026 11:11:43 +0200https://hackingpassion.com/nginx-ui-mcpwn-cve-2026-33032/<p>A critical vulnerability in nginx-ui has been actively exploited since March 2026, and it gives any attacker on the network full control over the nginx server behind it without a single credential. <strong>CVE-2026-33032</strong> scores <strong>9.8 on the CVSS scale</strong>, sits inside an AI integration that was added to the tool in late 2025, and the entire root cause turned out to be 27 characters of missing code. Recorded Future assigned it a risk score of <strong>94 out of 100</strong>. The researchers who found it named it <strong>MCPwn</strong>. 😏</p>Hackers Are Hijacking NGINX Servers Without Installing Malwarehttps://hackingpassion.com/nginx-hijacking-no-malware/Thu, 05 Feb 2026 13:58:06 +0100https://hackingpassion.com/nginx-hijacking-no-malware/<p>Hackers are hijacking NGINX web servers and rerouting live traffic through their own infrastructure. No malware installed, no vulnerability exploited. Just a few lines changed in a configuration file, and every visitor&rsquo;s data flows through attacker-controlled servers without anyone noticing. 🧐</p> <p>NGINX is the most popular web server on the planet. It powers over 5 million websites and handles roughly one in three web connections worldwide. Banks, governments, and universities all depend on it. And right now, a campaign is silently turning these servers into traffic relays.</p>