Security vendor Pluto Security has published details of a critical vulnerability in the open-source nginx UI web server configuration tool that has been under active exploitation by cybercriminals since March. News of the flaw, identified as CVE-2026-33032, first appeared on the National Vulnerability Database (NVD) on March 30, the same day that threat intelligence companies VulnCheck and Recorded Future’s Insikt Group noted it was under active exploitation. What users didn’t have at that point were any details on the flaw from Pluto Security, the company that discovered it earlier that month. This week, the company rectified this, publishing a full breakdown of the vulnerability. Nginx UI ...