CVE-2026-8711
Severity CVSS v4.0:
CRITICAL
Type:
CWE-122
Heap-based Buffer Overflow
Publication date:
19/05/2026
Last modified:
04/06/2026
Description
NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. <br />
<br />
<br />
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Impact
Base Score 4.0
9.20
Severity 4.0
CRITICAL
Base Score 3.x
8.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:f5:njs:*:*:*:*:*:*:*:* | 0.9.4 (including) | 0.9.9 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



