{"id":"CVE-2026-8711","details":"NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.","modified":"2026-07-08T08:13:53.027450278Z","published":"2026-05-19T15:16:33.017Z","database_specific":{},"references":[{"type":"ADVISORY","url":"https://my.f5.com/manage/s/article/K000161307"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nginx/njs","events":[{"introduced":"927d38d8438e8b3b3db63af4d9f6324210fd5dab"},{"fixed":"9ead4e71f74a27279f3212bdb6cadb0e86981a1b"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:f5:njs:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0.9.4"},{"fixed":"0.9.9"}]}}],"versions":["0.9.8","0.9.7","0.9.6","0.9.5","0.9.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8711.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}