Researchers have found a critical vulnerability in the widely used Nginx web server that can potentially lead to remote code execution under certain conditions. The flaw is a heap buffer overflow that has gone undetected in the program’s code for the past 18 years.
Tracked as CVE-2026-42945, the vulnerability is one of 4 bugs found in Nginx by researchers from security startup DepthFirst AI, using their LLM-powered platform. It adds to the increasing number of flaws that security scanners and humans have missed in high profile open-source projects over the years, but which have been discovered with the help of AI models in recent months.
Nginx is one of the most popular web servers, powering...