Security: 0xJacky/nginx-ui
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware Allows Access to Internal ServicesGHSA-wr32-99hh-6f35 published
Apr 22, 2026 by 0xJackyHigh -
Unauthenticated Remote Code Execution via Backup Restore in nginx-uiGHSA-4pvg-prr3-9cxr published
Apr 27, 2026 by 0xJackyCritical -
Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollbackGHSA-7jrr-xw9c-mj39 published
Apr 27, 2026 by 0xJackyModerate -
Unauthenticated First-Run Installer Allows Remote Initial Admin ClaimGHSA-h27v-ph7w-m9fp published
Apr 27, 2026 by 0xJackyHigh -
Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeoverGHSA-mxqh-q9h6-v8pq published
Apr 27, 2026 by 0xJackyHigh -
Improper Path Validation Allows Recursive Deletion of the Nginx Configuration DirectoryGHSA-m8p8-53vf-8357 published
Mar 28, 2026 by 0xJackyModerate -
nginx-ui Backup Restore Allows Tampering with Encrypted BackupsGHSA-fhh2-gg7w-gwpq published
Mar 28, 2026 by 0xJackyCritical -
Race Condition Leads to Persistent Data Corruption and Service CollapseGHSA-m468-xcm6-fxg4 published
Mar 28, 2026 by 0xJackyHigh -
DoS via Negative Integer Input in Logrotate IntervalGHSA-cp8r-8jvw-v3qg published
Mar 28, 2026 by 0xJackyModerate -
Unencrypted Storage of DNS API Tokens and ACME Private KeysGHSA-5hf2-vhj6-gj9m published
Mar 28, 2026 by 0xJackyHigh