pkg:Go/github.com/0xJacky/Nginx-UI

All known vulnerabilities

• CRITICAL9.8CVE-2026-33032nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover
  from 0
• CRITICAL9.8CVE-2026-33032nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover
  from 0, <= 1.99
• CRITICAL9.8CVE-2026-27944Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure
  from 0, < 2.3.3
• CRITICAL9.8CVE-2026-27944Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure
  from 0
• CRITICAL9.8CVE-2024-23827Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature
  from 0, < 2.0.0-beta.12
• CRITICAL9.8CVE-2024-23827Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature
  from 0
• HIGH8.8CVE-2024-23828Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF in github.com/0xJacky/Nginx-UI
  from 0, < 2.0.0-beta.12
• HIGH8.8CVE-2024-23828Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF in github.com/0xJacky/Nginx-UI
  from 0
• HIGH8.5CVE-2026-44015Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services
  from 0, <= 2.3.4
• HIGH8.1CVE-2026-42221Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
  >= 2.0.0, < 2.3.8
• HIGH8.1CVE-2026-34403Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints
  from 0, < 1.9.10-0.20260316053337-1a9cd29a3082
• HIGH8.1CVE-2026-33031Nginx-UI: Disabled users retain full API access through previously issued bearer tokens
  from 0, < 1.9.10-0.20260314152518-7b66578adb47
• HIGH7.7CVE-2024-22197Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)
  from 0, < 1.9.10-0.20231219184941-827e76c46e63
• HIGH7.7CVE-2024-22197Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)
  from 0, < 2.0.0.beta.9
• HIGH7.1CVE-2024-22198Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268)
  from 0, < 2.0.0.beta.9
• HIGH7.1CVE-2024-22198Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268)
  from 0, < 1.9.10-0.20231219184941-827e76c46e63
• HIGH7.0CVE-2024-22196Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270)
  from 0, < 2.0.0.beta.9
• HIGH7.0CVE-2024-22196Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270)
  from 0, < 1.9.10-0.20231219195202-ec93ab05a3ec
• MEDIUM6.5CVE-2026-42220Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback
  from 0, <= 1.9.9
• —CVE-2026-33029nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval
  from 0
• —CVE-2026-33029nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval
  from 0, <= 1.99
• —CVE-2026-33028nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse
  from 0, <= 1.99
• —CVE-2026-33028nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse
  from 0
• —CVE-2026-33027Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation
  from 0
• —CVE-2026-33027Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation
  from 0, <= 1.99
• —CVE-2026-33026nginx-ui Backup Restore Allows Tampering with Encrypted Backups
  from 0
• —CVE-2026-33026nginx-ui Backup Restore Allows Tampering with Encrypted Backups
  from 0, <= 1.9.9