{"vulnerability": "cve-2026-9256", "sightings": [{"uuid": "32579c91-3e90-4298-888b-e79cc6184ad6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "Telegram/tLTaf5zN9aUn_D8KOi_rgxptZENw0EocHmy4bQpa2VASaD8", "content": "", "creation_timestamp": "2026-05-24T09:00:04.000000Z"}, {"uuid": "09aa6685-442a-442e-95d6-5515097af3eb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116618991514251454", "content": "A new vulnerability with increased severity was disclosed for F5 NGINX Plus and NGINX Open Source (CVE-2026-9256) https://vuldb.com/vuln/365202", "creation_timestamp": "2026-05-22T15:43:17.057509Z"}, {"uuid": "b47b14a4-426b-4154-b002-490f9168dbf9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/boredchilada.bsky.social/post/3mmhd6h3yn32k", "content": "~Cybergcca~\n6 advisories released, highlighting a highly critical Drupal SQL injection (CVE-2026-9082) exploited in the wild and critical F5 NGINX flaws.\n-\nIOCs: CVE-2026-9082, CVE-2026-9256\n-\n#CVE20269082 #Drupal #ThreatIntel #Vulnerability", "creation_timestamp": "2026-05-22T16:11:43.203330Z"}, {"uuid": "d0d64a8f-e4aa-4651-b4b8-195b31bd3527", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://cyber.gc.ca/en/alerts-advisories/f5-security-advisory-av26-501", "content": "", "creation_timestamp": "2026-05-22T09:02:13.000000Z"}, {"uuid": "df9fe749-1f48-44fe-8af9-56ee6c6d4fc4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmhinmth2b2k", "content": "CVE-2026-9256 - NGINX ngx_http_rewrite_module vulnerability\nCVE ID : CVE-2026-9256\n \n Published : May 22, 2026, 2:11 p.m. | 2\u00a0hours, 48\u00a0minutes ago\n \n Description : NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability ...", "creation_timestamp": "2026-05-22T17:49:40.822633Z"}, {"uuid": "74a6281f-c165-48a2-9e02-0da5a8e25f46", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/r-netsec-bot.bsky.social/post/3mmhptdqmal2g", "content": "CVE-2026-9256 - \"nginx-poolslip\", another new vulnerability in the rewrite module", "creation_timestamp": "2026-05-22T19:58:08.631431Z"}, {"uuid": "982537a1-038e-4083-89d2-d75c9fe27e15", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://infosec.exchange/users/cR0w/statuses/116620003808518966", "content": "Another vuln in NGINX rewriting. Looks pretty similar to the last one. Requires ASLR bypass or disabled for RCE.\nhttps://my.f5.com/manage/s/article/K000161377\n\nNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, /((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. (CVE-2026-9256)", "creation_timestamp": "2026-05-22T20:00:39.688281Z"}, {"uuid": "a993ad22-4bbb-4a9f-ba10-9e179ff95b75", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/r-netsec.bsky.social/post/3mmhqhrizki2g", "content": "CVE-2026-9256 - \"nginx-poolslip\", another new vulnerability in the rewrite module", "creation_timestamp": "2026-05-22T20:09:34.185879Z"}, {"uuid": "6ab8f904-e88b-4603-90b6-a99a3f12ed6a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://mstdn.social/users/jschauma/statuses/116620852119462759", "content": "The previous announced sibling vulnerability to \"nginx rift\" has been fixed by F5 and has been assigned CVE-2026-9256):\nhttps://my.f5.com/manage/s/article/K000161377\nThis was previously called \"nginx-poolslip\" (https://nitter.net/nebusecurity/status/2057071579876753643) and is a DoS with possible RCE (\"if the attacker can bypass ASLR\" - not sure how?), using a similar regex capture vector.\nWouldn't be surprised if this is the new norm: one vuln lands, everybody points their AI at that attack vector and discovers sibling vulns.", "creation_timestamp": "2026-05-22T23:36:24.040138Z"}, {"uuid": "66fe738e-15e6-4d80-839a-a3c1e28ed090", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/jschauma.mstdn.social.ap.brid.gy/post/3mmi3znywbij2", "content": "The previous announced sibling vulnerability to \"nginx rift\" has been fixed by F5 and has been assigned CVE-2026-9256):\n\nhttps://my.f5.com/manage/s/article/K000161377\n\nThis was previously called \"nginx-poolslip\" (https://nitter.net/nebusecurity/status/2057071579876753643) and is a DoS with [\u2026]", "creation_timestamp": "2026-05-22T23:36:29.984102Z"}, {"uuid": "968143dc-f4c9-4e90-b176-6e02298a9939", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mmiang525h2v", "content": "NGINX ngx_http_rewrite_module buffer overflow (CVE-2026-9256)", "creation_timestamp": "2026-05-23T00:59:06.066348Z"}, {"uuid": "df5a809a-8ec5-4129-81aa-8da6e6663e6e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116622178040678966", "content": "It is possible to see elevated activities targeting F5 NGINX Plus and NGINX Open Source (CVE-2026-9256) https://vuldb.com/vuln/365202/cti", "creation_timestamp": "2026-05-23T05:13:35.169271Z"}, {"uuid": "5c1210e8-c890-4212-a251-5c85f6211a5f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "Telegram/-ZaOSBs5QfE8Ryorjte0HRYdJ3XwemRFp0pA5mG04K2Sq_U", "content": "", "creation_timestamp": "2026-06-03T03:00:11.000000Z"}, {"uuid": "687d8366-42a8-43bf-9295-9397cccb88fe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/Kubernetes.activitypub.awakari.com.ap.brid.gy/post/3mmvj65tvwwk2", "content": "NGINX Under Active Attack: CVE-2026-42945 and CVE-2026-9256 Put Your Infrastructure at Risk Two critical NGINX heap buffer overflows are under active exploitation. Learn what's at risk, affecte...\n\n#Security #Bulletin #CVE-2026-42945 #CVE-2026-9256 #NGINX [\u2026] \n\n[Original post on indusface.com]", "creation_timestamp": "2026-05-28T07:38:45.815005Z"}, {"uuid": "91114c2f-f2c9-4beb-b7bd-059229bd6084", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "Telegram/mMN-AjvGpcaE-zo6q0YmV9Qj204A53PE-cWPysE2p8vK_VY", "content": "", "creation_timestamp": "2026-05-28T11:00:13.000000Z"}, {"uuid": "d0f7d43c-c5b3-4a44-a758-3aea567a237c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://t.me/bdufstecru/3194", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u044f ngx_http_rewrite_module \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432 NGINX Plus \u0438 NGINX Open Source \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435\u043c \u0431\u0443\u0444\u0435\u0440\u0430 \u0432 \u0434\u0438\u043d\u0430\u043c\u0438\u0447\u0435\u0441\u043a\u043e\u0439 \u043f\u0430\u043c\u044f\u0442\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u0438\u043b\u0438 \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438 \u043f\u0443\u0442\u0435\u043c \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e HTTP-\u0437\u0430\u043f\u0440\u043e\u0441\u0430\n\nBDU:2026-07182\nCVE-2026-9256\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://my.f5.com/manage/s/article/K000161377", "creation_timestamp": "2026-05-25T14:46:51.000000Z"}, {"uuid": "5f40839a-f4e0-41a1-90c8-4f07d8f288e3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/boredchilada.bsky.social/post/3mmoui27mho26", "content": "~Cybergcca~\nCCCS released 7 advisories for IBM, Roundcube, Dell, Ubuntu, CISA ICS, Red Hat, and cPanel.\n-\nIOCs: CVE-2026-9256\n-\n#Patch #ThreatIntel #Vulnerability", "creation_timestamp": "2026-05-25T16:09:56.663682Z"}, {"uuid": "2b0d65c5-054f-4be9-8ca1-c4487376a29b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://cyber.gc.ca/en/alerts-advisories/cpanel-security-advisory-av26-508", "content": "", "creation_timestamp": "2026-05-25T07:30:43.000000Z"}, {"uuid": "e56a475d-524c-499b-922f-7a908b1ccd73", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mmr375cpjn2h", "content": "\ud83d\udd17 CVE : CVE-2026-9256", "creation_timestamp": "2026-05-26T13:15:33.798628Z"}, {"uuid": "cfe17f51-7354-4ea0-90a9-618a979fe454", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/opsmatters.com/post/3mmuzgqmz262l", "content": "The latest update for #CyCognito includes \"Emerging Threat: (CVE-2026-9256) NGINX Heap Buffer Overflow via Rewrite Module\" and \"Emerging Threat: (CVE-2026-48172) LiteSpeed cPanel Plugin Privilege Escalation to Root\".\n \n#cybersecurity #AttackSurfaceManagement #EASM https://opsmtrs.com/44Srq0X", "creation_timestamp": "2026-05-28T02:54:39.834940Z"}, {"uuid": "ba668e23-0906-4a96-9600-6b5fcb25e723", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/opsmatters.com/post/3mn23th5ytx2x", "content": "The latest update for #Indusface includes \"6 WAAP Features Every Bank and Financial Institution Needs in 2026\" and \"NGINX Under Active Attack: CVE-2026-42945 and CVE-2026-9256 Put Your Infrastructure at Risk\".\n \n#cybersecurity #infosec https://opsmtrs.com/3ySs2VF", "creation_timestamp": "2026-05-30T03:20:52.866875Z"}, {"uuid": "2c57ccec-141b-4b73-9fba-7d9eaf5073b3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://t.me/GithubRedTeam/87066", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #POC\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-9256-POC\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a 06-ux\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-06-03 02:52:39\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2026-9256 Nginx heap buffer overflow POC\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-06-03T03:00:05.000000Z"}, {"uuid": "bcd1acf9-1019-45c2-b280-4543caabe4e3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/87458", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #POC #RCE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a Nginx-chain-Rift-Poolslip\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a y198nt\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-06-05 15:24:17\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nNginx RCE chain PoC with CVE-2026-9256 and CVE-2026-42945\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-06-05T16:00:03.000000Z"}, {"uuid": "e38f1597-c468-46b4-85de-fc610a72f51c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "Telegram/5i-pTes7Ja_8Uhuw9wP6auiAd2fWyZYO3DYvaqIb_mREm_4", "content": "", "creation_timestamp": "2026-06-03T09:00:04.000000Z"}, {"uuid": "f4dd7847-70ca-4f61-8550-333fbdd214d5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://bsky.app/profile/keiwork35.bsky.social/post/3mnmivx7kwl2c", "content": "\u3010\u7dca\u6025\u3011CVE-2026-9256 NGINX Plus\u304a\u3088\u3073NGINX Open Source\u306b\u6df1\u523b\u306a\u8106\u5f31\u6027\uff5c\u5373\u6642\u5bfe\u5fdc\u304c\u5fc5\u8981\n\nCVE-2026-9256\u306f\u3001NGINX Plus\u304a\u3088\u3073NGINX Open Source\u306b\u5b58\u5728\u3059\u308b\u8106\u5f31\u6027\u3067\u3059\u3002\u3053\u306e\u8106\u5f31\u6027\u306f\u3001ngx_http_rewrite_module\u30e2\u30b8\u30e5\u30fc\u30eb\u306b\u95a2\u9023\u3057\u3066\u304a\u308a\u3001\u7279\u5b9a\u306e\u6761\u4ef6\u4e0b\u3067\u60aa\u7528\u3055\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002", "creation_timestamp": "2026-06-06T11:02:50.203331Z"}]}