Total CVEs

142,696

Critical Severity

4,021

High Severity

14,390

Last 7 Days

1,393
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 13,521 - 13,540 of 39,101 CVEs
CVE-2026-42946 MEDIUM - 6.5

A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upst...

Vendor: F5
Product: NGINX Plus, NGINX Open Source
Published: May 13, 2026
Source: NVD
CVE-2026-42945 HIGH - 8.1

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement s...

Vendor: F5
Product: NGINX Plus, NGINX Open Source
Published: May 13, 2026
Source: NVD
CVE-2026-42937 MEDIUM - 6.5

Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view adjacent network information.  Note: Software versions which have reached End of Techni...

Vendor: F5
Product: BIG-IP, BIG-IQ
Published: May 13, 2026
Source: NVD
CVE-2026-42934 MEDIUM - 4.8

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the a...

Vendor: F5
Product: NGINX Plus, NGINX Open Source
Published: May 13, 2026
Source: NVD
CVE-2026-42930 HIGH - 8.7

When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode restrictions on a BIG-IP system.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vendor: F5
Product: BIG-IP
Published: May 13, 2026
Source: NVD
CVE-2026-42926 MEDIUM - 5.8

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.  Note: Software versions which have reached End of Technical Support (EoTS) are not e...

Vendor: F5
Product: NGINX Open Source
Published: May 13, 2026
Source: NVD
CVE-2026-42924 HIGH - 8.7

An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vendor: F5
Product: BIG-IP
Published: May 13, 2026
Source: NVD
CVE-2026-42920 HIGH - 7.5

When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vendor: F5
Product: BIG-IP
Published: May 13, 2026
Source: NVD
CVE-2026-42919 MEDIUM - 6.7

A vulnerability exists in BIG-IP systems that may allow an authenticated attacker with administrative access to escalate their privileges. A successful exploit may allow the attacker to cross a security boundary.  Note: Software versions which have reached End of Technical Support (EoTS) are not ev...

Vendor: F5
Product: BIG-IP
Published: May 13, 2026
Source: NVD
CVE-2026-42781 MEDIUM - 6.5

When embedded Packet Velocity Acceleration (ePVA) acceleration is configured, undisclosed local ethernet traffic can cause an increase in ePVA and Traffic Management Microkernel (TMM) resource utilization.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vendor: F5
Product: BIG-IP
Published: May 13, 2026
Source: NVD
CVE-2026-42780 MEDIUM - 4.9

A directory traversal vulnerability exists in BIG-IP SSL Orchestrator that allows an authenticated attacker with high privilege to overwrite, delete or corrupt arbitrary local files.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vendor: F5
Product: BIG-IP, SSL Orchestrator
Published: May 13, 2026
Source: NVD
CVE-2026-42409 HIGH - 7.5

When an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are...

Vendor: F5
Product: BIG-IP, BIG-IP Next SPK, BIG-IP Next CNF, BIG-IP Next for Kubernetes
Published: May 13, 2026
Source: NVD
CVE-2026-42408 MEDIUM - 4.4

When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed TMOS Shell (tmsh) command that may allow a highly privileged authenticated attacker to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vendor: F5
Product: BIG-IP
Published: May 13, 2026
Source: NVD
CVE-2026-42406 HIGH - 8.7

A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands.     Note: Software versions which have reached End of Technical Support (EoTS) are ...

Vendor: F5
Product: BIG-IP, BIG-IQ
Published: May 13, 2026
Source: NVD
CVE-2026-42063 MEDIUM - 4.9

A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vendor: F5
Product: BIG-IP
Published: May 13, 2026
Source: NVD
CVE-2026-42058 MEDIUM - 4.3

An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account names.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vendor: F5
Product: BIG-IP
Published: May 13, 2026
Source: NVD
CVE-2026-41959 MEDIUM - 6.5

Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view the network status of destination systems.  Note: Software versions which have rea...

Vendor: F5
Product: BIG-IP, BIG-IQ
Published: May 13, 2026
Source: NVD
CVE-2026-41957 HIGH - 8.8

An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vendor: F5
Product: BIG-IP, BIG-IQ
Published: May 13, 2026
Source: NVD
CVE-2026-41956 HIGH - 7.5

When a classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vendor: F5
Product: BIG-IP, BIG-IP Next CNF, BIG-IP Next for Kubernetes
Published: May 13, 2026
Source: NVD
CVE-2026-41954 MEDIUM - 4.9

Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information.  Note: Software versions which have reached End of Techni...

Vendor: F5
Product: BIG-IP, BIG-IQ
Published: May 13, 2026
Source: NVD