CVE-2026-28753

Severity CVSS v4.0:

MEDIUM

Type:

CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

Publication date:

24/03/2026

Last modified:

26/03/2026

Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS v4.0 Severity and Metrics:

Base Score: 6.30 MEDIUM
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Attack Vector (AV): Network
Attack Complexity (AC): High
Attack Requirements (AT): Present
Privileges Required (PR): None
User Interaction (UI): None
Confidentiality (VC): None
Integrity (VI): Low
Availability (VA): None
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): None

Base Score 4.0

6.30

Severity 4.0

MEDIUM

Vector 3.x

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 3.70 LOW
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): Low
Availability (A): None

Base Score 3.x

3.70

Severity 3.x

LOW

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:f5:nginx_plus:r32:p1::::::
cpe:2.3:a:f5:nginx_plus:r32:p2::::::
cpe:2.3:a:f5:nginx_plus:r32:p3::::::
cpe:2.3:a:f5:nginx_plus:r32:p4::::::
cpe:2.3:a:f5:nginx_plus:r33:::::::*
cpe:2.3:a:f5:nginx_plus:r33:p1::::::
cpe:2.3:a:f5:nginx_plus:r33:p2::::::
cpe:2.3:a:f5:nginx_plus:r33:p3::::::
cpe:2.3:a:f5:nginx_plus:r34:::::::*
cpe:2.3:a:f5:nginx_plus:r34:p1::::::
cpe:2.3:a:f5:nginx_plus:r34:p2::::::
cpe:2.3:a:f5:nginx_plus:r35:::::::*
cpe:2.3:a:f5:nginx_plus:r35:p1::::::
cpe:2.3:a:f5:nginx_plus:r36:::::::*
cpe:2.3:a:f5:nginx_plus:r36:p1::::::

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

https://my.f5.com/manage/s/article/K000160367

CPE	From	Up to
cpe:2.3:a:f5:nginx_plus:r32:p1::::::
cpe:2.3:a:f5:nginx_plus:r32:p2::::::
cpe:2.3:a:f5:nginx_plus:r32:p3::::::
cpe:2.3:a:f5:nginx_plus:r32:p4::::::
cpe:2.3:a:f5:nginx_plus:r33:::::::*
cpe:2.3:a:f5:nginx_plus:r33:p1::::::
cpe:2.3:a:f5:nginx_plus:r33:p2::::::
cpe:2.3:a:f5:nginx_plus:r33:p3::::::
cpe:2.3:a:f5:nginx_plus:r34:::::::*
cpe:2.3:a:f5:nginx_plus:r34:p1::::::
cpe:2.3:a:f5:nginx_plus:r34:p2::::::
cpe:2.3:a:f5:nginx_plus:r35:::::::*
cpe:2.3:a:f5:nginx_plus:r35:p1::::::
cpe:2.3:a:f5:nginx_plus:r36:::::::*
cpe:2.3:a:f5:nginx_plus:r36:p1::::::