8.8
HIGH CVSS 4.0
CVE-2026-60005
NGINX ngx_http_slice_module vulnerability
Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_slice_module module. When the slice directive and unnamed regex captures are configured or when a background cache update happens, unauthenticated attackers can send requests that may cause uninitialized memory access in the NGINX worker process, leading to limited disclosure of memory or a restart. Impact: This vulnerability may allow remote, unauthenticated attackers to have limited control to disclose memory contents or restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only. Note: The ngx_http_slice_module module is not enabled by default; it's enabled with the --with-http_slice_module configuration parameter. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

INFO

Published Date :

July 15, 2026, 3:04 p.m.

Last Modified :

July 15, 2026, 3:04 p.m.

Remotely Exploit :

Yes !

Source :

f5
Affected Products

The following products are affected by CVE-2026-60005 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 F5 nginx_plus
2 F5 nginx_open_source
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH 9dacffd4-cb11-413f-8451-fbbfd4ddc0ab
CVSS 4.0 HIGH 9dacffd4-cb11-413f-8451-fbbfd4ddc0ab
Solution
Update NGINX to a patched version to fix uninitialized memory access issues.
  • Update NGINX to a fixed version.
  • Disable the slice directive if not needed.
  • Avoid background cache updates with slices.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-60005 vulnerability anywhere in the article.

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.