**NGINX** and **NGINX Plus** users are urged to apply the latest patches following reports of active exploitation of **CVE-2026-42945**, a heap buffer overflow in the `ngx_http_rewrite_module`. This vulnerability affects NGINX versions 0.6.27 through 1.30.0 and was reportedly introduced in 2008. ### NGINX Vulnerability Details The vulnerability, which has a CVSS score of 9.2, could allow an unauthenticated attacker to trigger worker process crashes or potentially execute remote code via crafted HTTP requests. However, successful remote code execution (RCE) is contingent on Address Space Layout Randomization (ASLR) being disabled on the target system. Security researcher Kevin Beaumont noted that exploitation requires a specific NGINX configuration and attacker knowledge of that configuration. AlmaLinux maintainers echoed this, stating that while reliable code execution might not be trivial in default configurations with ASLR enabled, the risk of worker-crash denial-of-service (DoS) is significant enough to warrant immediate attention. **VulnCheck** has confirmed active exploitation attempts against their honeypot networks, although the precise nature and objectives of these attacks remain unclear. Users are strongly advised to apply the latest fixes from **F5** to mitigate potential threats. ### openDCIM Flaws Under Active Attack In a parallel development, **VulnCheck** also reported active exploitation of two critical vulnerabilities in **openDCIM**, an open-source application for data center infrastructure management. Both flaws carry a CVSS score of 9.3: * **CVE-2026-28515**: A missing authorization vulnerability that could allow authenticated users to access LDAP configuration functionality regardless of assigned privileges. In Docker deployments without authentication enforcement, this could lead to unauthorized modification of application configurations. * **CVE-2026-28517**: An operating system command injection vulnerability in the `report_network_map.php` component. It processes the "dot" parameter without proper sanitization, passing it directly to a shell command, potentially allowing arbitrary code execution. These vulnerabilities were discovered alongside **CVE-2026-28516**, an SQL injection vulnerability in **openDCIM**, by **VulnCheck** security researcher Valentin Lobstein. Lobstein demonstrated that these three flaws can be chained to achieve remote code execution via five HTTP requests, ultimately spawning a reverse shell. Caitlin Condon, vice president of security research at **VulnCheck**, stated that the observed attacker activity originates from a single Chinese IP address and appears to utilize a customized implementation of the AI vulnerability discovery tool Vulnhuntr to identify vulnerable installations before deploying a PHP web shell.