## https://sploitus.com/exploit?id=A4A239F0-6964-58ED-BD10-D3AB011B9B7E
# CVE-2026-42945 - ngx_http_rewrite_module module. This vulnerability exists when Unauthenticated Stored Cross-Site Scripting
**Severity:** HIGH
**CVSS:** 8.1
**Impact:** Confidentiality, Integrity, Availability
**Published:** 2026-05-13
## Legal
For authorized security testing only.
## Root Cause (short version)
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
## Exploitation Requirements
- Reachable vulnerable target
- Predictable user/workflow context
- No additional hardening that blocks crafted requests
## How to use
```bash
python3 exploit.py https://target.tld
```
## Detection
- Monitor suspicious authentication flow deviations
- Investigate abnormal direct endpoint hits tied to CVE-2026-42945
## Mitigation
- Update to the fixed vendor version
- Restrict risky endpoints and enforce MFA where possible
## Exploit
[Download PoC](https://tinyurl.com/2xtcfa98)