NGINX Plus and NGINX Open Source have a vulnerability in...
Moderate severity
Unreviewed
Published
Mar 24, 2026
to the GitHub Advisory Database
•
Updated Mar 24, 2026
Description
Published by the National Vulnerability Database
Mar 24, 2026
Published to the GitHub Advisory Database
Mar 24, 2026
Last updated
Mar 24, 2026
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
References