F 5 has announced patches for three critical memory safety vulnerabilities in NGINX Plus and NGINX Open Source. The most severe, CVE-2026-42533, relates to a code execution vulnerability in the map directive, with a CVSS score of 9.2. No confirmed exploits exist at this time, but all users are urged to update to the latest versions (NGINX Plus 37.0.3.1, NGINX Open Source 1.31.3 or 1.30.4).
The vulnerabilities are significant as they allow unauthenticated attackers to exploit them via crafted HTTP requests, impacting various downstream products. The details of each vulnerability include specific technical explanations and mitigation strategies. Users are encouraged to apply updates or configurations that limit exposure. Affected versions and social sharing options are also highlighted.