Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2026-28753

Опубликовано: 24 мар. 2026
Источник: nvd
CVSS3: 3.7
EPSS Низкий

Описание

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*
Конфигурация 2

Одно из

cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
Версия от 0.6.27 (включая) до 0.9.7 (включая)
cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
Версия от 1.0.0 (включая) до 1.28.3 (исключая)
cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
Версия от 1.29.0 (включая) до 1.29.7 (исключая)

EPSS

Процентиль: 6%
0.00024
Низкий

3.7 Low

CVSS3

Дефекты

CWE-93

Связанные уязвимости

redhat логотип

CVE-2026-28753

CVSS3: 3.7
redhat
7 дней назад

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

msrc логотип

CVE-2026-28753

CVSS3: 3.7
msrc
5 дней назад

NGINX ngx_mail_proxy_module vulnerability

debian логотип

CVE-2026-28753

CVSS3: 3.7
debian
7 дней назад

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_ ...

github логотип

GHSA-ggr6-fmr8-2m8g

CVSS3: 3.7
github
7 дней назад

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

EPSS

Процентиль: 6%
0.00024
Низкий

3.7 Low

CVSS3

Дефекты

CWE-93